You can't secure what you don't acknowledge.SM

Thursday, May 5, 2016

Twitter hack--NFL draft consequences

I recently received this press release regarding Ole Miss offensive tackle Laremy Tunsil's Twitter account and how it affected his NFL draft:


Will someone please tell me how the consequences of basic security weaknesses surrounding social media, passwords, and malware do not impact us all personally and professionally.

Wednesday, May 4, 2016

Yet another over-hyped security flaw making the headlines

For years now, I've ranted here and elsewhere about the nonsensical niche security "flaws" uncovered by researchers and academic scholars that often have no real bearing on business or society. There are always caveats, always reasons why these super-complicated exploits won't work, yet they make the headlines time and again. The recent Waze app discovery is a great example:

Vulnerability in Google's Waze app could let hackers track you, researchers say

Look past the hype, the justifications for job security and research funding. Focus on the things that matter, folks. Year after year, the studies show the same stuff, yet we keep ignoring it.

Monday, April 25, 2016

Wednesday, April 20, 2016

What you need to know about Checkmarx CxSAST version 8

Application security tool version upgrade usually don't excite me as it's often the same old, same old with a few new checks and niche features. However, the new version of Checkmarx CxSAST (formerly CxSuite, CxDeveloper, etc.) is spot-on. The next generation of the popular static source code analyzer - version 8 - was recently released and it contains some much-needed improvements over its predecessor.

One thing that's glaringly evident in version 8 is the streamlined installation process. Minimal options. No tricky questions. No random services installed to junk up your system (at least that I know of). It just installs and is ready to use in less than 5 minutes. I installed CxSAST on a much less powerful virtual machine than I had version 7 running on and it actually seems to be much faster. I'm not sure if this was by design or if it's just something in my head but it's a nice new feature. Additional features in version 8 (currently 8.0.1) that I think are beneficial include:
  • Major overhaul in the user interface - it was a long-time coming and it's lot better/easier. Here's a sample screenshot:

  • A new vulnerability state option of “Proposed Not Exploitable” for findings that are likely non-issues (you get quite a few of these when performing a source code analysis)
  • I haven't yet tried it (but suspect I will as my testing environment changes often) - apparently the CxSAST engine can now be deployed without enforcing the Hardware ID for the license. Nice.
  • Incremental (partial) scans can now be run via the native IDEs in Eclipse, IntelliJ, and Visual Studio
Checkmarx CxSAST has as much language support than other products I'm familiar with by supporting the traditional languages (C#, Java, VB.Net, PHP) as well as Ruby, Objective C, JavaScript, etc. To me, the mobile app support for Android and iOS is one of its biggest selling points.

I'm seeing an uptick in source code analysis interest. Perhaps it's because people are realizing that web vulnerability scanners and manual analysis simply can't find it all. Regardless, if you're looking to integrate source code analysis into your SDLC or do some last-mile security checks on enterprise web applications, mobile apps, or even legacy client/server applications, Checkmarx CxDeveloper, I mean CxSAST, needs to be on your radar. Here's a screenshot of some sample findings from the tool after scanning a Java application - many of which were not uncovered during traditional web vulnerability testing:

By the way, in the event you're looking to brush up on your application security skills, Checkmarx's Vulnerability Knowledgebase is a good resource for details on various application security vulnerabilities.

Thursday, April 14, 2016

Will the DBIR include Verizon's latest breach?

I'm a little late to pull the trigger on this but felt compelled to ask the question nonetheless:
Will Verizon include it's recent breach in its (presumably) forthcoming Data Breach Investigations Report

...It's related to this press release I received ~3 weeks ago:

Wednesday, April 13, 2016

Why data classification is a joke

I just saw this post on Slashdot about 0bama saying that classified means whatever it needs to mean. It reminds me of how data classification is treated as an information risk management function in the enterprise: mostly non-existent:

Data classification programs that do exist are typically a joke whereby IT and security handles everything with no involvement from the business or legal or legal handles everything with IT and security being out off the loop altogether. I wrote an article related to this for Ziff Davis a couple of years ago:
The funny thing about "confidential" information

...I'm not even sure why we bother going through the's like security policies that are not enforced - who are we kidding!?

Wednesday, March 2, 2016

A patch for stupid, PCI DSS penetration testing tips, and focusing on what matters in security

Here are some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7: - See more at: follare some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7:
The following are some new articles I've written for TechTarget and Ziff Davis. Enjoy!

Maybe there is a patch for stupid
Six areas of importance in the PCI Penetration Testing Guidance
Niche security flaws should NOT be your focus
check out the other information security content I've written over the years on my website at

Also, check out the other information security content I've written over the years on my website at

Monday, February 22, 2016

New independent content on information security

Here are some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7:

Key Network Security Questions You Need To Ask Your Cloud Vendors - Now!

Everything happens for a reason in security

How one bad decision brought down an enterprise e-commerce site in minutes

With security, periodic and consistent is key

How emerging threat intelligence tools affect network security

The science behind bad passwords


Also, be sure to check out the other information security content I've written over the years on my website at

You can also check out the other information security content I've developed over the years on my website at - See more at:

You can also check out the other information security content I've developed over the years on my website at - See more at:

You can also check out the other information security content I've developed over the years on my website at - See more at:

Monday, January 25, 2016

LUCY - a very powerful email phishing tool

If you're an IT or information security professional you need to know about a great - and relatively new - tool that you can use as part of your security assessment and/or user awareness and training's called LUCY. I came across a small online blurb about LUCY a few months ago and thought I would check it out. Having dealt with both open source and commercial email phishing tools that have either gone kaput or the vendors have no interest in serving an independent consultant like myself, it looked like LUCY might be just what I needed. It is.  

Available as a virtual machine download or an application running in the cloud, LUCY supports traditional email phishing campaigns but it goes several steps further by supporting SMiShing (SMS phishing), the simulation of malware attacks, Word macros, and it has a bunch of other features. LUCY's reporting capabilities are nice as well. The following is a sample of one page of the LUCY Web interface and you can see more for yourself here.

Before I discovered LUCY, I was seriously considering hiring a developer to write my own email phishing tool. I'm glad I didn't because I would have missed a whole lot of features that I never would've thought about. I'm also confident that I would've ended up getting in over my head with such a project. That's the great thing about working in this industry – I get to rely on the brainpower, findings, and products of all of the researchers and developers who are way smarter than me.

LUCY's feature set is nice but, to me, the best part is the support that I have received from its Swiss-based creator, Oliver Münchow. Oliver was very responsive and extremely patient with me as I got my environment up and running. In fact, I bugged him with so many DNS/SMTP configuration and user workflow questions (when, in many cases, I should've read the fine manual) he told me that he obviously needs to make some tweaks to the documentation and the functionality of the program. :-) He already has. Pretty cool.

Studies from Verizon, Trustwave, and others all show that social engineering via email phishing is one of the most popular attacks. It's just too simple and too effective. Many (most?) businesses today are making it too easy for criminal hackers to carry out their malicious acts for ill-gotten gains. I've been doing this type of work more and more as part of my overall security assessment projects and the results are pretty scary. If you're not doing email phishing testing, you can't honestly say that you're looking at everything - testing for all possible vulnerabilities - in your environment.

Whether you work for someone else or for yourself, you should check out LUCY if you're in need of simple to use, yet powerful, email phishing and security awareness/training campaign capabilities that you can get up and running almost immediately. Minimal technical expertise is required. Maximum value is pretty much guaranteed. 

You can check out more about social engineering and email phishing (tips, tools, and techniques) in the brand-new 5th edition of my book, Hacking For Dummies.

Wednesday, January 20, 2016

Worst passwords (on your network right now)

The fifth-annual Worst Passwords List put out by SplashData is here and the findings aren't terribly surprising. Here are the top five:

#1: 123456
#2: password
#3: 12345
#4: 12345678
#5: qwerty
Good stuff! What's that quote about insanity? 

One of those security basics that we'll likely continue to ignore until the end of time. That's alright, as some of the best sideline analysts will proclaim: we need not focus on such trivial things. Well, they have a point. After all, there are really cool technologies people can spend tons of money on instead. It's that kind of investment that makes it look like things are happening in and around IT!

Thursday, January 14, 2016

Hacking For Dummies, 5th edition - Brand new and more of what it oughta be

It's official - the 5th edition of my book Hacking For Dummies is out!

Outside of the first edition that was written 13 years ago, this new edition has, by far, the most updates and improvements yet. All based on the mistakes I make and the things I learn in my hands-on work performing independent security vulnerability assessments and penetration tests, I feel like Hacking For Dummies has come of age.

In this new edition, I have added in new security checks and tools (i.e. Kali Linux) for many of the chapters. I've sprinkled in some more coverage on the cloud where necessary as well as updates on security testing methodologies. I also provide links to more (and more current) tools and resources in the appendix. I cover Windows 10 and even some of the latest security controls in Android Lollipop and M as well as iOS 9. I also have a new section on the Internet of Things.

Perhaps most importantly, I've eliminated a lot of the preachiness and references to "ethical" hacking and "hackers" and, instead, have put things more in terms of IT security professionals and security testing programs...It's security vulnerability assessments and penetration testing as it should be.

From the get-go, my goal with this book was not to cover every single niche hack that comes out - I'm not that smart and certainly don't have enough time (or pages) to do so. Instead, my goal is to hit the important areas that are getting so many enterprises into trouble (i.e. the low-hanging
fruit) as well as to outline the security assessment process from start to finish, i.e. planning things out, understanding the mindset and methodologies all the way through the testing and then follow-up,
including keeping management on board. I'm not aware of any other book that does this and believe that's where the real value in all of this is.

Thanks a ton to Amy and Katie at Wiley for helping making this book happen, long-time friend, Peter Davis, for his most excellent technical edits, and for well-respected IT/security veteran, Richard Stiennon, for writing the new foreword. I couldn't have done it without your efforts and insight!

A LOT of sweat equity among many people has gone into Hacking For Dummies, 5th edition. I hope you'll check it out! I really think you'll like it.