You can't secure what you don't acknowledge.SM

Wednesday, March 11, 2009

My deep thought of the year

Relating to how people are set in their ways:

Security problems change....people don't. Therein lies the problem. --Yours truly

Linux admin = ego trip?

I recently started writing for first bit was on a topic that no one seems to want to talk about: Linux security. Entitled Five common Linux security vulnerabilities you may be overlooking, the article currently has the lowest rating I've received on any article I've ever written for TechTarget dating back to 2002...Woohoo! You definitely can't win them all.

Sure, the article's light - it was intended to be an overview...just the essentials of what needs to be on the radar of admins. Given this rating you'd think many of the guru Linux admins out there would have security down pat. They don't...hence these types of findings in nearly every security assessment I do.

That's's this kind of perspective that drives information security and will continue to keep us all busy!

Tuesday, March 10, 2009

My latest security content

I have some new information security content that you may be interested in. First, here's an article I wrote for
The fine line between not encrypting your databases and breach notification

...and two articles I wrote for
Using the Firefox Web Developer extension to find security flaws

Cloud computing and application security: Issues and risks


Also, be sure to check out for all of my information security articles, podcasts, webcasts, screencasts and more.

Using AirMagnet WiFi Analyzer for security assessments

While I'm on a roll testing out the latest security tools (can you tell I'm finally getting caught up on things?!) I wanted to write the follow-up to this previous post I promised regarding AirMagnet's wireless network analyzer (now dubbed WiFi Analyzer).

I've been using WiFi Analyzer for now supports 802.11n for those of you on the "bleeding edge" and it even has some automated security checks for "n". As long as you use one of their supported wireless NICs, you can have it up and running in a minute or two. One noticeable difference is the tweaks they've made to the user interface. I like how's it laid out - everything's within a click or two. It also has some nice reporting features if you need that for compliance purposes - something you're not going to see much of with the open source wireless tools.

In the context of security testing you can use a tool such as this to find rogue devices in your environment....even ones that are not using supported encryption methods. The scanner's main interface is shown in the following screenshot:
....Keep in mind that the longer you let a scanner such as this run in your environment the more data it'll capture on wireless hosts and the better off you'll be. Recently after letting it run for about 30 minutes and it had found 10-15 wireless devices....after a few days, it uncovered several dozen. It's the nature of wireless - who's broadcasting/advertising when - and so be patient.

You can use WiFi Analyzer Pro to hunt down rogue devices with it's Find tool that uses signal and noise meters to show you when you're getting "hot" or "cold" in your search as shown in the following screenshot:
For open APs, you can use WiFi Analyzer to associate with them, grab an IP address, and peform basic pings as well as Internet lookups - things you have to do the old-fashioned way (within the OS) otherwise. The Connection Test tool is shown in the following screenshot:
The scanner will also grab SSIDs that workstations have associated with in the past as shown the following screenshot:
These wireless associations can be very telling...showing you where users have been and whether or not they're violating your remote access, travel, and wireless security policies. Good ammo if you're trying to sell management on policies, wireless IPS, etc.

Whether you support wireless or not, odds are you have it. And AirMagnet's WiFi Analyzer is yet another tool to add to security toolbox.

Gem of a Web application security book

It's three years old but Andres Andreu has put together a gem of a book on Web security testing:

It covers Web apps, some commercial scanners, and practically every open source tool available for Web security testing. It also has some of the best coverage I've seen on testing Web services.

Andres must've had a lot of time on his hands when he wrote it...I know firsthand how much effort it takes to put together technical material and this book is chock full of it.

Check it out...and kudos to Andres!

Monday, March 9, 2009

Great quote related to policies & compliance

Thomas Bracket Reed said "One of the greatest delusions in the world is the hope that the evils in this world are to be cured by legislation".

I see this belief in action over and over again with regards to security policies and all these regulations we're up against. Just because you have policies and just because someone in your organization thinks that the business is "compliant" with whatever law or reg or internal policy, it doesn't mean anything's secure in reality. There's a saying: trust but verify....Never ever lose sight of this.