You can't secure what you don't acknowledge.SM

Thursday, January 29, 2009

What are you thinking about right now?

Did you know that you become what you think about the most? Here's a neat little video excerpt from Earl Nightingale's The Strangest Secret that talks about this very thing. Very inspirational.

Be like the land Mr. Nightingale talks about. I use this mental visualization technique in my personal life and career. I can honestly attribute my success to it. It really works.

Now I just need to apply it to my thoughts on apathetic citizens and government regulations and I'll be set! I promise I'm working on it... ;-)

Exploiting a crisis to perpetrate a scam?

Ever have a situation where a crisis is going on and you witness people taking advantage of it for their own ill-gotten gains? For example, like a security breach leading to the purchase of unnecessary technical controls or implementation of draconian policies (especially when the basics haven't even been addressed). All to boost an IT manager's ego.

Or look at what President Bush did: exploit 9/11 to give the government more power. And what Obama and his minions are doing now with the economy and so-called "stimulus" bill. Control. More control. Ultimate control. That's what so many people want but all too often for the wrong reasons: Personal gain. Political power.

This whole economic spending bill is unbelievable. BILLIONS and BILLIONS of additional dollars on food stamps, condoms, public housing and more junk programs we don't need aren't going to stimulate anything other than dependence on government growth! Absolutely amazing our so-called leaders are feeding us this and we're eating it!! Prestigious economists say it's a joke. Most reasonably smart people can see right through it. This government growth bill is not there for us but rather to create more political power for those who don't deserve it.

Given that we no longer have a government by the people for the people, I've all but given out on those fools that the dumb masses have voted in to "serve" us in Washington. I'm talking about both the Democrats and the Republicans. I'm proud to say I'm neither.

I'm going to write something so I can refer back to it when I'm old and can say I was right: America as it was intended is gone. We've been getting nudged along for a few decades but now we finally have the momentum - we're now sliding down the slippery slope called Socialism....It's the "change" we finally deserve. And, sadly, most people don't care because they value good looks, charismatic speeches, and government "security" over personal freedom...

Whew...anyway. Back to my point: look out for those exploiting a crisis in your organization for their own ill-gotten gains. Apparently it's the American way.

Pros and cons of information hiding

I just read this good article on steganography and started thinking about the potential uses and misuses of this technology.

So, do you have a need to hide information on mobile systems/devices to keep prying eyes away in the event of theft or loss? Sounds like a good application for it. Although given the current state of mobile security [mostly nada] I can't imagine too many people would go this far to protect mobile devices when they haven't even done the basics.

Think about the other side of the equation: rogue employees doing bad things. What an empowering way for users to walk out with sensitive files...Even if they get caught they can rest assured that their misdeeds are likely going to go unnoticed/undetected with current ediscovery tools.

Yet another good thing to think about for your incident response plan and your ediscovery efforts. Lawyers: are you listening?

Also, this is a good reason to NOT give users local admin rights on their workstations. If they can't install the software they can't abuse the system. This may also be a good time to consider some Web-based content filtering to at least attempt to block people from browsing to these software download sites. It's not foolproof but you can at least say that you had reasonable controls in place.

Monday, January 26, 2009

A primer on WEP/WPA hacks & why it doesn't matter

If you can't justify spending $18.99 on the book I co-authored Hacking Wireless Networks For Dummies, then there's an alternative resource for you to at least be able learn about how WEP and WPA can be exploited. In this recent SearchNetworking.com tip, Lisa Phifer has taken the volumes and volumes of technical jabber about the known attacks against WEP and WPA and distilled them into a simple 5 minute read. Definitely worth checking out.

After reading it though, I thought....man, all of these technical details, all of these attacks, all of this effort to lock down wireless. With all due respect to the people who figured all of this stuff out, I still think it's pretty naive to focus a lot of security effort on this when there's so much other silly/simple/stupid stuff that needs to be fixed I've seen recently like:
  1. Web sites with spreadsheets containing Social Security numbers protected only by a really short and really easy to guess password
  2. Web apps with supposed multi-factor authentication controls that can be easily overridden and disabled
  3. Network shares sharing out entire drives full of sensitive files - all accessible by anyone on the network
  4. Firewalls with default installs and no passwords
  5. VoIP phones sitting in unmonitored lobbies that can simply be unplugged and provide direct network access to strangers
  6. Smartphones without even a trace of security enabled - not even a power-on password
  7. Laptops without encrypted drives
  8. Database servers without passwords
  9. Backups stored onsite in fireproof safes that aren't media rated
  10. Physical security CCTV control systems without passwords viewable/configurable by anyone on the network
  11. Missing patches that are easily-exploited with free tools providing full admin access to the system without the attacker ever having to log in
So stop focusing on the details and fix the obvious stuff first. And you can't assume everything's OK. You'll never know where you're vulnerable and where things stand unless and until you test your systems and your processes. Period.

Can you tell I'm passionate about this stuff? I could go on and on and on....but I won't.

Looking for some software to exploit?

If you're learning the ins and outs of Metasploit (one of the most underrated and underused tools in our field) but don't have the software to exploit in a test environment, check out www.securinfos.info/old-softwares-vulnerable.php. Also don't forget about any old copies of Windows, etc. CDs you have lying around....Just load them up on a test machine, VMWare image, or similar and off you go. I can't imagine a more cost-effective and hands-on way to get some seat time in this area.

Also, to get you up to speed quickly I've written a few articles about Metasploit for your perusal:
Metasploit 3.1 updates improve Windows penetration testing
Metasploit 3.0 security testing tool - free easy and improved
Using Metasploit for real-world security tests
Metasploit: A penetration testing tool you shouldn't be without