You can't secure what you don't acknowledge.SM

Thursday, September 30, 2010

Elcomsoft's new Phone Password Breaker now supports the BlackBerry

Elcomsoft's neat iPhone Password Breaker tool that can crack iPhone backup passwords just got 100% better. Now it's called Phone Password Breaker and supports BlackBerry backups. Nice.

Combine such a tool with all the open shares and unstructured data scattered about the average network and you've got a pretty serious problem on your hands. That is unless you're using the tool in a security assessment and demonstrating the continued risks smartphones represent in the enterprise.

Phone Password Breaker can crack password-protected iPhone, iPad and iPod Touch backups and decrypt encrypted BlackBerry backups. Like some of its sister products the tool can utilize GPU acceleration - something that can prove very beneficial when you only have a relatively short period of time to obtain your results.

The Pro version costs $199 and the Home edition is less than half that. Not bad given the value it can bring. Kudos to Vladimir Katalov and his team - yet another great security/forensics tool we can all benefit from. Check it out.

Tuesday, September 28, 2010

In the unlikely event you experience a security breach...

If you've experienced a data breach - or if you're into thinking long term - want to plan ahead in the event one does occur, here's an Entrepreneur Magazine bit from a PR specialist on how to handle a crisis.

It doesn't have to be difficult but you can pretty much bet it will be if you don't have a plan. For further reading, here are some pieces I've written about information security incident response.

Don't believe the hype

In this piece, fellow writer Mike Nelson does a good job railing against vendor FUD. His content ties right into my thoughts on all the IT and security marketing fluff we're exposed to. It's nuts.

If you do anything, educate yourself on the basics before going in - before you buy any product or service...With Google, Bing, and all the good resources out there it's relatively simple to learn the essentials. Armed with just enough of the basics you'll at least be able to call b.s. when the sales weasels' audacity of hype gets out of line.

Cybersecurity Act of 2009 - It's great for government growth!

You may already know how I feel about our out of control government. Well here's a new piece I wrote about the Cybersecurity Act of 2009 - legislation that'll make your head spin.

Why the Cybersecurity Act is better for government than business

In subsequent edits to this article I had added some material on the new Lieberman-Carper-Collins legislation Protecting Cyberspace as a National Asset Act of 2010 (a.k.a. Senate Bill 3480) that didn't make the final cut. So, I'm going to write a follow-up article on that. Stay tuned...

Bottom line: We've got to wake up to the reality of what's happening to the U.S. - and the world - in the name of government control - silent (and not so silent) tyranny...It's all happening right before our eyes.

New Windows identity & access management resources

Here are some new pieces I wrote for on Windows IAM - pros, cons, and considerations:

Are identity and access management payoffs worth the fuss?

The compliance benefits of Windows identity and access management

Six ways to improve identity and access management (IAM) for Windows

Finding the value in Microsoft Forefront Identity Manager 2010


Monday, September 27, 2010

Got VoIP? Better make sure it's secure.

Given that VoIP has been around for more than 10 years, it's hard to find a business where's it's not running in some capacity. I do find it interesting how many network managers aren't too concerned about the security of VoIP. People say things like "It's on the inside of the network", "It's running on a separate VLAN", and "We're PCI and HIPAA compliant but there's nothing of significance being sent over the wire with VoIP". Interesting.

Here's a new story about VoIP hackers getting sentenced to prison - proof, to me, that people out there want your systems, your minutes, your bandwidth and beyond.

There are numerous ways to exploit VoIP from poorly-secured call manager interfaces to network traffic and beyond. For example, Cain & Abel provides a simple way for a malicious insider to turn your Ethernet switches into hubs and capture/playback VoIP traffic. VoIP Hopper can help those where VLAN segmentation gets in their way. I go into VoIP hacking in detail in Chapter 13 of my book Hacking For Dummies, 3rd edition. For further reading check out these pieces that I've presented on VoIP security.

However you choose to uncover your vulnerabilities in VoIP, just do something. In the end, if it's got an on/off switch and an IP address someone's going to try and manipulate it for ill-gotten gains.

It all goes back to choice

I've said it before and I've come across a quote that prompts me to say it again. Peter McWilliams once said "We are all, right now, living the life we choose."

The same goes for security...and compliance...and overall business risk. The sum of your business decisions up to this point define exactly where you are right now.

As Og Mandino said "Use wisely your power of choice." As I've discovered it's hard as heck sometimes but incorporating this discipline into every decision you make can have a tremendous impact on all aspects of your life.

Sunday, September 26, 2010

Looking for a tech job? Here's what you have to do to stand out.

If you're currently looking for a job in IT with the current unemployment rate at 9.6% you know how difficult things can be. Deep down you likely know that you've got to do something to stand out above the noise so you can land that new position. But just what is it that you need to do? Do you network more, do you go back to school, do you get a certification, or do you run on a platform of "hope" and wait on the sidelines for things to happen?

Well, here's a piece that I wrote that talks about the steps you can take to get to where you need to be:

Getting hired in IT: How to stand out

Check out my related articles and audio programs for further reading on IT and information security careers.