-
19 Aug 2014CommView for WiFi – a great option for wireless network analysis
Several years ago I wrote about the neat WEP/WPA recovery tools offered as part of TamoSoft's wireless network analyzer called CommView for WiFi. Well, those tools are no longer available but CommView for WiFi is as relevant as ever. I've been using it for years. It seems that it hasn't changed a ton other than some UI and packet analysis enhancements - probably just oversights on my part since I ...
Continue Reading... -
01 May 2014
Running vulnerability scans over VPN connections
If you haven't yet, you'll likely run into a situation where you need to run vulnerability scans over a VPN connection (i.e. for remote office networks). Well, certain scanners won't scan over "raw sockets" - the underlying communication method for certain VPN connections. Other scanners can't even connect to a remote network at all because they're caught up in their own little virtual machines that you cannot add a VPN ...
Continue Reading... -
13 Nov 2013
Reaver Pro: a simple tool for cracking WPA on a LOT of wireless networks
If wireless security testing is on your radar, you need to get Reaver Pro. As I outlined in this Hacking For Dummies, 4th edition chapter, Reaver Pro is a great tool for cracking the WPA pre-shared key on all those consumer-grade wireless APs/routers that everyone installs in the enterprise. The latest version of Reaver Pro is very simple to use. No live CDs or VMs to boot. You simply connect ...
Continue Reading... -
07 Oct 2013
Experiencing problems with authenticated web vulnerability scans? Try NTOSpider.
You're performing authenticated web vulnerability scans, right? If you're not, you're missing out...big time. When performing authenticated scans, you'll find a whole different set of security flaws likely consisting of session fixation, SQL injection (that often differs among user role levels), weak passwords, login mechanism flaws, and perhaps...just maybe that beloved cross-site request forgery flaw that may or may not be exploitable or even matter in the context of what ...
Continue Reading... -
18 Jul 2013
Authenticated vulnerability scan pains…Rapid7 to the rescue.
Apparently the folks at Rapid7 have people working on their Nexpose team that have actually performed security assessments for a living. You see, Nexpose has this seemingly trivial feature that can create a world of difference in the life of a security practitioner - it's part of the Site Configuration (i.e. scan settings) called Test Credentials as seen in the following screenshot: Sanity brought about by people who use their own ...
Continue Reading... -
06 Apr 2013
Must-have Thunderbird to Outlook conversion tool
I recently decided to convert my Thunderbird email to Outlook and didn't have a lot of luck finding a tool that actually worked. Maybe it's because I have a pretty complex Thunderbird configuration with emails dating back to my first messages I sent/received using Netscape Mail (remember that from the 1990s?) .I came across a tool that was a perfect fit what I needed: Aid4Mail Professional by Fookes Software. It ...
Continue Reading... -
01 Mar 2013
Got WordPress? You’d better secure it.
If you use WordPress, take note. My colleague Robert Abela, one of the foremost experts on WordPress security, has a new course at Udemy.com on Securing a WordPress Blog or Website for Beginners that you should check out. The course costs $15. When you use the coupon code OnWheels, you'll receive a $5 (33%) discount. Don't let your guard down because "it's just a marketing site". WordPress-based sites can have ...
Continue Reading... -
12 Feb 2013
Mobile app security testing – are you checking for all the flaws?
I plan to write a related post soon on my mobile app security assessments. In the meantime, I wanted to share a tool with you that plays a key role in mobile app security: Checkmarx CxDeveloper (or perhaps more appropriately called CxSuite).If you're a developer, QA professional, security manager, or IT generalist, this is a good tool to have for all of those gotta-have-now apps that everyone is throwing together ...
Continue Reading... -
26 Nov 2012
Fix for painful authenticated web vulnerability scans requiring MFA
Authenticated web security scans are one of the most frustrating parts of web security assessments. I mean they're downright painful, oftentimes seemingly impossible - especially if multi-factor authentication (MFA) technology is in use. Yet authenticated scans are critically important. It's scary how many times I uncover serious flaws (i.e. SQL injection) while logged-in as a typical user of a web site/application. That is if I can get my web vulnerability ...
Continue Reading... -
14 Aug 2012
Aiming for the CISSP? Check out this book.
I recently completed the technical edits for the new book CISSP For Dummies, 4th edition. It's a great book (not because of my contribution!) that I wish I would've had when I was studying for my CISSP test back in 2001. If you're prepping for the CISSP exam or just want to brush up on the fundamental concepts of information security, this book is a must-have. Just keep in mind ...
Continue Reading...
Resources
Client Testimonials
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”
(IT managed services firm)
Kevin has written/co-written 12 books on information security including one of the best-sellers of all time:
