Reaver Pro: a simple tool for cracking WPA on a LOT of wireless networks

If wireless security testing is on your radar, you need to get Reaver Pro. As I outlined in this Hacking For Dummies, 4th edition chapter, Reaver Pro is a great tool for cracking the WPA pre-shared key on all those consumer-grade wireless APs/routers that everyone installs in the enterprise.

The latest version of Reaver Pro is very simple to use. No live CDs or VMs to boot. You simply connect the device into your test system's Ethernet port, connect the power adapter, browse to 10.9.8.1, login, and you're ready to roll. Here is a quick video overview and here is a screenshot showing its interface:

Terry Dunlap with Tactical Network Solutions (the company that created and sells Reaver Pro) has a great team of sharp guys...and they've been very responsive when prompted with my mostly dumb questions.

If anything let Reaver Pro be a reminder of two things:

1. WPA is a proven wireless security control that's only as good as the weakest link on your network
2. Consumer grade wireless APs and routers don't have a place in a business setting - although on practically every network I see.

It seems to me that with the advent of WPA, WPA2, and enterprise-grade wireless security controls that people have let their guard down a bit with wireless security.

Don't be that guy.

As I like to say, you can't secure what you don't acknowledge! WPS is enabled by default in most situations. It's broken. Even if you have the option to throttle PIN requests, you need to find WPS and disable it (even on your home wireless). The convenience factor it provides is just not worth the risk of someone gaining full access to your wireless (and likely wired) network.

Read More

Low information users and the challenges they create

Thanks to the political elite and the dumb masses they inspire, you've probably heard the term low information voter…In a nutshell, this term refers to people making a critical decision without knowing all the facts.  As Winston Churchill once said “The best case against Democracy is a five minute conversation with the average voter.”

Interestingly, this concept and quote make me think of information security and why we need to prepare ourselves for today’s threats. Have a five minute conversation with an average user on your network. Talk to them about what they do and don’t do, the decisions that they’re making regarding their computer usage, and so on and it will likely become clear that we have a problem that we must solve.

If you're looking for answers to this human psychology challenge, here is a piece I wrote with tips for getting (and keeping) users on your side with IT and security.

Check out a related piece I wrote for Rapid7's blog:
Why business execs know more about security than you do

Best of luck! Keep in mind that sticktuitiveness is the key to all of this.

Read More

My latest security content (lots of stuff on application security)

I thought you might be interested in my latest articles/tips on web and mobile application security:

Why you need to pay attention to the slow HTTP attack

Lessons learned from a web security breach

Application security calls for a proactive approach

Understanding the value of the OWASP Top 10 2013

The Role Of An Automated Web Vulnerability Scanner In A Holistic Web Security Audit

Are Obamacare’s health insurance exchanges secured? Likely not.

Can software quality pros shore up network security threats?

How do software quality pros navigate cloud computing security issues?

What are the hidden mobile app security threats to look out for?

Also, be sure to check out principlelogic.com/resources for links to hundreds of additional security resources I've written and developed over the past 12 years.

Read More

What you need to know about security vulnerability assessments (that no one is willing to share)

I'd love it if you'd join me over at SearchSecurity.com next week where I'll be talking about the rest of the story regarding security assessments...

You know the tools and you're probably familiar with the methodologies...that's why I'm going to share with you many other important aspects of security assessments that, unless someone tells you, you'll likely only learn the hard way. And that's no fun.

In my webcast What you need to know about security vulnerability assessments (that no one is willing to share), I'll outline what to do, what not to do, and what you can expect to get out of your vulnerability assessments (or pen tests, or audits, or whatever you call them).

These are things that I've learned in over a decade and a half performing security assessments for hundreds of organizations, thousands of websites/applications/mobile apps, and tens of thousands of network hosts. And there's no cost to you.

Areas I'll cover are the essence of my book Hacking For Dummies including:  

• Glaring flaws you’re overlooking today
• Mistakes you're making...and cannot afford
• Approaches that are guaranteed to help you find the most holes
• Scoping your next round of testing to maximize its value and minimize your effort

Attendees will be included in a drawing for one of several signed copies of the new 2013 (4th) edition of Hacking For Dummies.

You can register here. Hope to see you next week!

Read More

Windows 8.1 changes/enhancements, BitLocker's improvements, and related Windows mobile/security tips

In addition to my independent information security assessments through my consultancy Principle Logic, I've been writing a ton...including a lot on Windows 8 and 8.1. Check out these new pieces published by my friends at TechTarget:

What's old, what's new for the enterprise with Windows 8.1

Understanding why Windows 8 for mobile is perfectly viable for enterprise use 

Don’t forget enterprise password protection in a merger or acquisition

Three ways Sysinternals Process Explorer reveals system usage

Ease Windows 8 frustration by focusing on what the OS actually does

Looking at Windows 8 BitLocker full-disk encryption and alternatives

You know the deal...check out principlelogic.com/resources for links to hundreds of additional security resources I've written and developed over the past 12 years.

s always, check out principlelogic.com/resources for links to all of my information security whitepapers, podcasts, webcasts, books, and more. - See more at: http://securityonwheels.blogspot.com/search?updated-max=2013-04-23T21:07:00-04:00#sthash.YSHM1H2R.dpuf

s always, check out principlelogic.com/resources for links to all of my information security whitepapers, podcasts, webcasts, books, and more. - See more at: http://securityonwheels.blogspot.com/search?updated-max=2013-04-23T21:07:00-04:00#sthash.YSHM1H2R.dpuf

Read More

Experiencing problems with authenticated web vulnerability scans? Try NTOSpider.

You're performing authenticated web vulnerability scans, right? If you're not, you're missing out...big time.

When performing authenticated scans, you'll find a whole different set of security flaws likely consisting of session fixation, SQL injection (that often differs among user role levels), weak passwords, login mechanism flaws, and perhaps...just maybe that beloved cross-site request forgery flaw that may or may not be exploitable or even matter in the context of what you're doing.

Bottom line: you need to be testing for flaws behind your web login prompts.

The thing is, though, authenticated web vulnerability scanning can extremely painful and inaccurate at best. If you're not paying attention, your web vulnerability scanner is not going to authenticate properly, it's not going to stay logged in, it's going to continually lock the user account (a major annoyance), or it's not going to properly crawl the entire application. Many of these pains are doubly true if your web applications are using Web 2.0 technologies (can we still call them that?).

Web vulnerability scanners are getting better and better, but the problems with authenticated web vulnerability scans still exist with most scanners I've tried - at least some of the time. Except one...NTObjectives' NTOSpider.

I've written about NTOSpider before (here and here) and in the interest of helping out my fellow IT/security professionals who are performing authenticated web vulnerability scans and experiencing these same pains, I feel I have to say something about NTOSpider again...

Check it out. It works extremely well with authenticated scans. Whatever Dan Kuykendall and his guys are doing to get the tool to establish and maintain state - for the entire scan, without locking up, or taking two weeks to run - it's working. Kudos.

One of the neatest things about NTOSpider is that it will tell you whether or not the scanner is logged in as you can see in the screenshot below:

It's a brilliant feature - something I haven't yet seen on any other web vulnerability scanner. I'm sure some people don't value such a feature (think: "Let's just get this scan done, check our box, and move on!") but it's very useful if you want to make sure your authenticated scans are running properly.

NTOSpider definitely won't find every web security flaw. I haven't yet found a scanner that will. With enough experience, you'll see that this is one of the fundamental problems we have with web vulnerability testing. Relying on a single web vulnerability scanner to find all the flaws is like relying on a single firewall to keep every threat out of your network. It's not going to happen.

NTOSpider is not perfect either. It has several quirks - some of which have been resolved in the latest version 6 (which is much improved). But, again, I haven't yet found a scanner that is perfect.

The only thing that matters is that NTOSpider feels perfect when it ends up getting you out of a bind like it has for me several times now in my web security vulnerability assessment work. Add it to your arsenal of multiple web vulnerability scanners. You won't regret it.

Read More

Sprechen Sie Deutsch? Hacking For Dummies now in German!

Check out the latest foreign-language edition of my book Hacking For Dummies:

Hacking For Dummies is now in 6 languages: English, Estonian, German, Italian, Portuguese, and Simplified Chinese.Very cool.

If you're like me and English is pretty much your only language, you can see more about that version here.

Prost!

Read More

Municipal information security weaknesses, hacking, careers, & committees

Here's some new content I've written recently on various information security topics you might be interested in:

Government Security: Uncovering Your Weaknesses (common vulnerabilities I see when performing security assessments for municipalities)

Eight questions to ask yourself before moving to C-suite management (are you really sure you want to do this!?)

IT career paths: Working for yourself is an attainable dream (if you want to stop working for the man)

Top 9 ways to prevent hacking in your enterprise (seriously, you can if you get these basics in check)

How to form a functional enterprise IT security committee (okay, I use the word 'functional' loosely, but it's nowhere but up from here right!?)

In the meantime, check out my website for links to all of my other information security-related content.

Cheers!

Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers!
- See more at: http://securityonwheels.blogspot.com/#sthash.tO6G2DOv.dpuf

Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers!
- See more at: http://securityonwheels.blogspot.com/#sthash.tO6G2DOv.dpuf

Read More

You can't see the light 'til you open your eyes...

I noticed a lot of interesting topics/news coming from the Black Hat conference last week such as:

•  SSH Communications Security Unveils General Availability Of SSH Risk Assessor Tool
• Preparing For Possible Future Crypto Attacks
• Crack of mobile SIM card crypto and virtual machine features could let an attacker target and clone a phone 
• HTTPS Hackable In 30 Seconds: DHS Alert

No doubt, these are all worthy topics that will help improve information security over the long haul...researched and presented by people who are much smarter than me.

Yet, given where most businesses are with information security today, we've got *much* bigger things to be concerned with such as:

1. Network shares - open to anyone on the network - providing unfettered access to sensitive information
2. No proactive event monitoring using the proper tools and expertise (outsource it!)
3. Firewalls with no passwords or a complex rulebase with a lot of redundancy and risky rules
4. Phones and tablets with zero security controls
5. Laptops with no drive encryption (I know most laptops, according to business executives who know more about security than their IT staff, have "nothing of value"...like the ones listed here, but still)
6. Database servers without passwords, or with default passwords, serving up PII and more to anyone with simple curiosity and a copy of SQL Server Management Studio or Heidi SQL.
7. Physical security access control and IP video systems that are accessible to anyone on the LAN (sometimes even Wi-Fi) for track covering, system disabling, video deletione, tc.
8. Operating systems with patch management software that are *still* missing critical updates that are exploitable using free tools to provide full admin access to the system without the attacker ever having to "log in"
9. Web apps with SQL injection, rampant cross-site scripting, and login mechanisms that are easily manipulated
10. Mobile apps that have yet to see an iota of security testing

These are all things I find on a consistent basis...Not because I'm smart but because they're very predictable and often go ignored.

"Can't see the light 'til you open your eyes" ...minimal yet insightful lyrics from one of my favorite bands, Black Country Communion. The "light" that people aren't seeing because they're being distracted by flashy headlines, sky is falling "exploits", valueless auditor mandates, or IT execs who are (ironically) "threatened" by information security is the very light that's going to end up biting them if they're not careful...such as the items listed above.

I read something recently from sales/achievement expert Jeffrey Gitomer that said "People who are cocky and arrogant say, I know that and move along. People who are confident and positive ask themselves How good am I at that? and seek to improve."

Great tie-in to the point I'm making. Which side are you on?

Concentrate on the fundamentals and nothing else for now and as long as it takes to ensure you have true control over the information security basics that have been around for decades. Otherwise, you're ignoring the obvious that will rear its head at some point. As we see time again in the research studies (Verizon DBIR, etc.), odds are much greater that you'll get bitten by something silly rather than a niche exploit that hits a relative few.

Finding and fixing the low-hanging fruit (the 20% of vulnerabilities that cause 80% of the problems) is something I've been advising for years and I'm going to keep doing it because that is where the risk is.

Read More

Authenticated vulnerability scan pains...Rapid7 to the rescue.

Apparently the folks at Rapid7 have people working on their Nexpose team that have actually performed security assessments for a living. You see, Nexpose has this seemingly trivial feature that can create a world of difference in the life of a security practitioner - it's part of the Site Configuration (i.e. scan settings) called Test Credentials as seen in the following screenshot:

 

Sanity brought about by people who use their own tools in real-world tests

Yep, with Nexpose you can actually test your login credentials before running authenticated vulnerability scans. Imagine that! The last time I remember seeing this feature was in Harris Corporation's STAT scanner about 10 years ago. Now, granted, I haven't used *every* vulnerability scanner out there but why don't we see this feature more often? Is it that difficult to implement programatically? Am I alone in the quest to work more efficiently?

Please, the common response of "Just because you can login doesn't mean you have the privileges to get the results you need" won't cut it...


It's clear - the payoffs of being able to test login credentials in a vulnerability scanner are huge. Some benefits include:

• confirmation, in advance (key phrase: in advance), that your authenticated scans will actually run
• less time spent waiting to see what vulnerabilities lie behind the login prompt (there's a LOT more than meets the eye)
• no reduction in your available scan count (if you happen to be using a tool that charges on a per-scan basis)
•  no time spent re-running scans (this can be worth hours of time, hassle, and embarassment)
•  less cussing

I know...it seems trite and many vendors have shown that they're not interested in making such basic improvements to their scanners. I'm sorry - time is money. Given the all the complexities and pressures associated with performing security testing today, the last thing you need is a tool that actually creates more work.

Nexpose saves the day on this one. Kudos Rapid7. Whoever was responsible for this feature, I want to hug their neck.

Read More

Never forget this

Although we strive to get others on our side, here's a good reminder from the late Richard Carlson that applies to IT and information security that we should always keep in mind:

"The sooner we accept the inevitable dilemma of not being able to win the approval of everyone we meet, the easier our lives will become".

Speaking of building your confidence and independence, here are some new articles I've written that can help:

Four steps to become a leader in IT problem-solving

Prioritize your IT tasks and finally conquer your to-do list 

Working in IT? Simple steps to get users on your side

In IT planning, try zero-based thinking

Getting hired in IT: How to stand out

As always, check out my website for links to all of my other information security-related content.

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers! - See more at: http://securityonwheels.blogspot.com/#sthash.rbih1iU4.dpuf

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers! - See more at: http://securityonwheels.blogspot.com/#sthash.rbih1iU4.dpuf

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers! - See more at: http://securityonwheels.blogspot.com/#sthash.rbih1iU4.dpuf

Read More

Infosec-related quote that strikes a chord

I always love bringing philosophy, leadership, and personal responsibility into the information security discussion and here's one of the best quotes I've come across that resonates across all industries and businesses large and small:

"To see what is right and not do it is a lack of courage." - Confucius


What can you say to that...?

Let this be the fire within that you use to get (and keep) the right people on your side with security the second half of the year so you can have a stellar 2014.

Read More

The root of every infosec failure is...

Time management expert Alec McKenzie once said what could be the most profound statement ever that applies directly to what we do (or don't do) in information security:

"Errant assumptions lie at the root of every failure."

How's your security program looking today?

Read More

Quoted in the Wall Street Journal this week

I was quoted in the Wall Street Journal (Tuesday May 21 edition)...it's a piece written by Gregory Millman talking about how senior executives are often at the root of information security problems. Check it out:

Corporate Security's Weak Link: Click-Happy CEOs 
Top Bosses, Exempt From Companywide Rules, Are More Likely to Take Cyber-Attackers' Bait

As I've written in the past, this is a big problem in businesses both large and small based on what I see in my work:

The BYOD Security Loophole


What to do when the CIO gets in the way of enterprise IT security

Read More

The next time you're feeling bullied...

Ever have a psychopathic executive (in IT or otherwise) try to force you to do something you simply can't support, railroad you down the wrong path, or attempt to make you feel inferior? You're not alone - I see and hear about this a LOT. There are many people pretending to be leaders who are simply insecure in their jobs so they try to flex their muscle to put up a "strong and capable" facade. Ironically it does just the opposite.

Well, when it happens to you, listen intently (people love that) but keep this bit from Henry Wadsworth Longfellow in mind:

"He that respects himself is safe from others; he wears a coat of mail that none can pierce."


Much of what we do in IT and infosec is merely playing the game of politics. If you understand people and why they act the way they do (it's all based around self esteem), you can simply play along and attain some semblance of peace at work.

Read More

Web security answers are changing - a frustrating, challenging, and humbling journey

In reading one of Brian Tracy's books, Brian discusses a story of Albert Einstein and an exam he gave to his graduate physics class at Princeton University. After the exam, Dr. Einstein was approached by a student who asked: "Dr. Einstein, wasn't that the same exam that you gave to this physics class last year?" Dr. Einstein replied "Yes, it was the same exam as last year." The student then asked "But Dr. Einstein, how could you give the same test two years in a row?" Dr. Einstein replied "Because, in the last year, the answers have changed."

This story illustrates the complexities around web application security: how much it changes, how complex it can be, and, most certainly, how no one has all the answers.

I've been fortunate to have the opportunity to test the security of many websites and web applications over the past decade. It's what I love doing the most in my work because every new site/application is a new experience. Of course, some of the security flaws are the same across the board but every new project brings unique challenges. The enormity of the matter is very humbling.

The things that defined web application security flaws (and fixes) last year may not be true this year. The answers are continually changing. Given these factors, I wanted to share with you some of my recent experiences and ideas on how you can get a better grip on this ever-changing target:

Your Scanning Experience Determines Your Scanning Success

What can Developers do to Better Protect PII?

Finding Web Flaws is not Point and Click

Responding to DoS attacks at the web layer

Should you Test Development, Staging or Production?

Read More

Is your approach to application security based in reality?

I know I say this a lot here - I've been so busy writing that I've been remiss in posting my actual content. So...I've got some content on web and mobile application security and penetration testing this time around.

You see, there are so many researchers, theories, and academic approaches to web and mobile security that it's simply overwhelming. Much of it doesn't apply to what businesses really need to be addressing anyway. Taking the 80/20 approach, what do you really need to focus on that's going to provide the highest payoffs?

Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers!

Read More

Clueless in the cloud - think before you act

A recent Network World piece about an RSA 2013 panel that covered cloud forensics and whether or not your cloud providers will be able to come through for you in the event of a lawsuit or breach bringing some critical pitfalls of cloud computing. 

Two things are certain:

1. If you're lucky enough for your business to be around for the long haul, odds are that it'll ultimately be hit with a lawsuit or a breach in some capacity, some way, that will involve a cloud provider. And...
2. Your cloud providers won't be prepared to help you out. At least in the foreseeable future.

In an era where cloud providers still believe "security" is a SSAE 16 checkbox, we've got a looong way to go before they're going to be in a position to help us in even greater capacities such as these. They simply don't have the means nor the incentive.

I can't stress this enough: unless you want to appear foolish, think through the security, legal, and business aspects of cloud computing before you fall for the marketing hype and jump on the bandwagon.

I've written pieces with more insight and prescriptive cloud advice here. Take it slow and good luck.

Read More

Wednesday (early) morning's webcast: State of Cyber Security 2013

ISACA and TechTarget are putting it on...It starts tomorrow (Wednesday) morning at 7:45am ET.

Several thousand people will be in attendance...it's the largest crowd I've ever spoken to.

It'll be engaging. It'll be informative. You'll hear what I really think about Obama's Cybersecurity mandates.

You can't miss it.

I'll be kicking things off with the keynote...then I'll be followed by some true information security experts:

• Theresa M. Grafenstine, Inspector General U.S. House of Representatives
• Dr. Ron Ross, senior computer scientist and information security researcher, National Institute of Standards and Technology (NIST)
• Jack E. Gold, founder and principal analyst at J.Gold Associates

and...

• Chenxi Wang, former vice president, principal analyst serving, Forrester Research Inc.

This is going to be good...I promise. And you can join in the live Q&A to ask me a question, throw me some curve balls, perhaps even send some heckles my way.

Would love to see you there. You can register here. 

Thanks a ton for Kara Gattine, Rachel Shuster, Chris Bent, and all the other fine folks at TechTarget for making this happen.

Read More

Must-have Thunderbird to Outlook conversion tool

I recently decided to convert my Thunderbird email to Outlook and didn't have a lot of luck finding a tool that actually worked. Maybe it's because I have a pretty complex Thunderbird configuration with emails dating back to my first messages I sent/received using Netscape Mail (remember that from the 1990s?) .

I came across a tool that was a perfect fit what I needed: Aid4Mail Professional by Fookes Software. It seemed too good to be true but it actually worked! Aid4Mail was relatively quick and I ended up with a .pst file that I could use in Outlook. What I appreciated just as much as the software was the service. I ended up needing some extra help and Julian was very prompt in his replies.

If you're going to buy it, pay the $20 extra and get the 1-year license rather than the 1-time use license. My decision to purchase the latter was part of why I had to bug Julian several times but he ended up geting me out of the bind I was in. I'm probably going to need to acquire another license (1 year this time!) because I still have some work to do but at least I now know what tool to use for this purpose.

Definitely a tool worth checking out if you're one of the prideful few like myself who is still using Thunderbird or any of the other old-school email clients that Aid4Mail supports (i.e. Windows Mail, Apple Mail, Eudora, Pegasus, etc).

Read More

Regardless of the subject, people see what they want to see

Here's a great quote by Jay Abraham that resonates with IT, information security, politics - you name it:

"An amazing thing, the human brain. Capable of understanding incredibly complex and intricate concepts. Yet at times unable to recognize the obvious and simple."

Read More

The idiocy of gun control summarized in a single graphic

I reference "heads in sand" quite often regarding information security but no subject better summarizes this concept than people's willingness to let the government tell them when and where they can defend themselves and their families from criminal thugs. This graphic (source unknown) says it all:

Ask anyone who's against self-defense, personal responsibility, and free will if they'd consider putting a sign in their yard or on their door that says "This is a gun-free home" and watch their response. Complete and utter idiocy.

The politicians are going to get what they want...eventually. And one day, Americans will wake up and say "What happened!?".

Heads in sand indeed.

Read More

Default to F.U.D. and everything'll be okay

If you can't convince them, confuse them.

That's what Harry Truman once said and it reminds me of many IT and information security professionals. They struggle to communicate effectively so they just take the lawyer route and attempt to make things even more confusing...and we wonder why many people outside of IT don't take us very seriously.

Read More

Got Compliance? Here's my way of reducing your pain just a bit.

It's been a while and the content is stacking up, so here's the first of many upcoming posts on new content I've written. This time up, it's a set of tips I've written for Ben Cole at SearchCompliance.com about that dreaded subject...you guessed it....compliance.

Enjoy!

Considering a career in compliance? Heed these warnings first

Audits, maintenance crucial to business continuity policy success

Control, visibility essential to records management and compliance

Beware the perils of organization-wide compliance policy involvement

The sometimes-harsh realities of information security and compliance

Security considerations around enterprise content management

Five corporate compliance program traits you need to prevent breaches

As always, check out principlelogic.com/resources for links to all of my information security whitepapers, podcasts, webcasts, books, and more.

Read More

Got WordPress? You'd better secure it.

If you use WordPress, take note. My colleague Robert Abela, one of the foremost experts on WordPress security, has a new course at Udemy.com on Securing a WordPress Blog or Website for Beginners that you should check out.

The course costs $15. When you use the coupon code OnWheels, you'll receive a $5 (33%) discount.

Don't let your guard down because "it's just a marketing site". WordPress-based sites can have tons of security flaws that can be used against you and your business, so be careful.

Read More

Mobile app security assessments

I wrote recently about performing source code analysis for mobile apps. I'm seeing some crazy stuff that I didn't think I'd see in mobile apps (but I'm not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.

But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:

• login-related weaknesses
• information mishandling
• insecure interactions with external applications/systems
• exploits in general functionality that put PII at risk

Odds are good that you or someone you know is rolling out a new mobile app. Or perhaps you were an early adopter and need to validate that your existing apps are reasonably secure. The question is: What are you doing to ensure things are in check? 

Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.

Read More

Yet another reason to get more in tune w/mobile & the cloud

Here's a good post from Elcomsoft's Vladimir Katalov that underscores the dangers of many things I've written and spoken about in recent years:

1. Cloud security - especially as it relates to mobile apps (and in the case of this piece, iCloud) 
2. Mobile control - BYOD, MDM and all those buzzwords sound nice but what exactly are you doing to ensure the business information that's being carelessly handled by your employees is kept in check? What's going to happen when it's exposed via such backdoors? 
3. Legal documents - you can have all the privacy laws, policies, and end user agreements in the world but, at the end of the day, they're basically worthless. If the imperial government wants something, especially control like I talked about here, they're going to get it.

It's time to wake up and take some action.

Read More

Self-delusion + infosec= foolishness

I thought this quote from Ronald Reagan was quite fitting for President's Day:

"If history teaches anything, it teaches that self-delusion in the face of unpleasant facts is folly."

Read More

Mobile app security testing - are you checking for all the flaws?

I plan to write a related post soon on my mobile app security assessments. In the meantime, I wanted to share a tool with you that plays a key role in mobile app security: Checkmarx CxDeveloper (or perhaps more appropriately called CxSuite).

If you're a developer, QA professional, security manager, or IT generalist, this is a good tool to have for all of those gotta-have-now apps that everyone is throwing together getting in the app stores.

I've used CxDeveloper to find flaws in iOS and Android-based apps that may not be discovered via traditional testing such as:

• Code injection
• Session fixation
• Path traversal
• Weak passwords
• Hard-coded cryptographic keys

...all things that I'm not smart enough to find on my own. Nor do I have the time.

For a few years now, I've dealt with the folks at Checkmarx and everyone from their CTO to their Director of Marketing - and a few others in between - has been super nice and responsive to my sometimes ridiculous requests.

Here's a guest blog post I've written for them:
Three compelling reasons to check your mobile app source code

And a webinar as well:
The Business Value of Partial Code Scanning

I also cover CxDeveloper in my Mobile Security chapter in the latest edition of my book Hacking For Dummies.

CxDeveloper isn't without its flaws. It's installation process and interface can be cumbersome but nothing that can't be overcome. It's certainly a worthy alternative to the big-box competitors...check it out if you want to find out the rest of the story with your mobile apps.

Read More

Reactive security, eh? How’s that workin' for ya?

Every time I browse the Chronology of Data Breaches and read the headlines coming out from Dark Reading, threatpost, and the like, I can't help but shake my head.

What is it really going to take to get people - mostly management, but some in IT - to fix the stupid, silly, low-hanging fruit that's plaguing so many networks today...? Well, here's a new piece I wrote for the nice folks at Lumension where I delve into this subject a little more.

As Thomas Jefferson said, Determine never to be idle. It is wonderful how much may be done if we are always doing. Our security problems can be fixed if we choose to fix them.

Read More

What's your communication style?

Great IT & infosec-related quote:

"Wise men talk because they have something to say; fools, because they have to say something." -Plato

Good communication is arguably the most important factor for success.

Read More

Introducing the brand new Hacking For Dummies, 4th edition

Well, it's here...the fourth edition of my book Hacking For Dummies is officially available today!



Starting summer of 2012 and ending just before Christmas, I put in over 200 hours of blood, sweat, tears, and occasional cussing into this edition...more than any previous updates to the book. That said, my savvy technical editor, Peter Davis, and the wonderful editors at Wiley, Becky Huehls, Virginia Sanders, and Amy Fandrei were the real magic behind it all.

Thanks to everyone's hard work, I truly feel like Hacking For Dummies has finally come of age.

You're not going to learn every single technical detail of every possible security test. As I've said in the past, you need to use the proven time-management principle of focusing on the urgent and the important...eliminating the nasty, silly, and dangerous low-hanging fruit in your environment.That's exactly what Hacking For Dummies, 4th edition is all about.

In addition to walking you through, step by step, the entire information security assessment process (understanding the threats, planning, testing, reporting, and plugging the holes), I also talk about getting management buy-in and costly mistakes to avoid. I share my real-world experiences on what to do and what not to do in order to get the most out of your information security testing and risk management processes.

This edition has a lot of new content including coverage of Windows 8, mobile devices, and mobile apps. I've also fleshed out my chapters on hacking passwords, wireless networks, and web applications.

Hacking For Dummies is not the be-all end-all resource for information security testing. I wouldn't want to put myself out of business! And after all, there is no definitive resource on this subject.

What I can say is if you're looking for a no frills, common sense, street smart guide on the core essentials of ethical hacking, the key vulnerabilities to test for, and some hard lessons I've learned along the way, then Hacking For Dummies, 4th edition is for you. Check it out...I think you'll like it.

Read More

Student information systems rife with security flaws

Here's an interesting story from Slashdot today about a college student being expelled after pointing out flaws in his college's student information system.

What he's seeing is no surprise. Starting with my days working for IBM's EduQuest division, for the past 20 years or so I've seen numerous K-12 and higher education student information systems chock full of security flaws. Stupid, silly security flaws like SQL injection, cross-site request forgery, URL manipulation, no passwords - you name it...none of which should've been around 10 years ago, much less today. But they're there.

Folks, if you work for a K-12 school, university, or you're a parent curious about how your student's information is being handled (and protected), start asking questions like:

• When was the last time this application was tested for security flaws? (their vendor's SSAE 16 report won't cut it)

• What was done about the flaws that have been discovered up to this point? (even when flaws are found, many people still have political, financial, and time management hurdles that get in the way of improvements)
  

Someone needs to be in charge of managing these risks.

Certain people at the school level will tell you that student information is secure because their auditor ran Nessus and everything checked out okay. Need I say more?

The student information system vendors will tell you their applications are secure because they have good programmers. Again, based on what I've seen, they're most definitely not.

Even if the vendors delivered flawless code, there's still integration and customization unique to each school that can introduce some ugly stuff that puts student information at risk.

Be wary and don't be afraid to push the people responsible for making things right.

Read More

Dear Neal Boortz,

With this being your final day on the air, I thought it would be appropriate for me to send you a note of thanks for all you've done for me the past 20 years or so that I've listened to your radio show. Rather than wax poetic in paragraph format I want to list out the things you've taught me that have greatly enhanced my life.

Neal, you have taught me:

• To be an independent thinker
• To question liberals and conservatives - especially those who want to force their ideals upon us and control us using the police power of government
• To work hard, really hard - and then keeping on working some more (the 40 hour work week is for losers indeed)
• To take care of my health
• To appreciate every moment with the people I really like to be around (I really miss Royal too)
• To not be afraid to speak my mind if I feel strongly about something (you helped inspire the name of my company, Principle Logic)
• To read, read, read and take in as much knowledge as possible
• To be a better writer
• To hold people accountable
• To laugh
• To go all out

My late mother, Linda Beaver, used to call me Neal Boortz Junior...all the time. She loved you too. I know she's happy for you as well.
 
With each day that passed this week, I got a bit choked up knowing that I was one day closer to losing the very inspiration and insight that has helped me reach such a great point in my life. Around 11:58am today, as you were signing off, it all came to a head and I broke down.

I owe you a debt of gratitude Neal. A big one. I wish I could repay you somehow.

Most importantly Neal, e n j o y  y o u r  r e t i r e m e n t. You're a very lucky man because of all the luck you've created - now go have some fun! Just know that you'll be greatly missed.

Adios MFer! ;-)

Sincerely,
Kevin Beaver

Read More

How are you getting your points across?

Here's a great point to remember regarding information security:

"A mediocre person tells. A good person explains. A superior person demonstrates. A great person inspires others to see for themselves." -Harvey Mackay

Read More