-
26 Mar 2010Great tool to check for weak Web passwords
I've always been a fan of Acunetix Web Vulnerability Scanner. It's a lesser-known tool that packs a big punch. One of its most redeeming qualities is its password checking. As I mentioned in this post, Acunetix Web Vulnerability Scanner took what was going to be a basic assessment of an Outlook Web Access system with very few findings up many notches into a true penetration of the system...all thanks to ...
Continue Reading... -
03 Nov 2009
Good dictionary to use for password cracking
Here's a pretty comprehensive password dictionary I recently came across that you may want to use in your security testing...there may be "friendlier" download link but I haven't searched for it.If time is a factor, this dictionary may be too big for its own good given the time it'd take to run through everything but at least you know you're using a good dictionary. After all, your dictionary-based password cracking ...
Continue Reading... -
21 Oct 2009
Metasploit as we knew it going bye bye?
The day I never thought I'd see has come. Once HD Moore announced "Metasploit is hiring" I knew something was going on. Metasploit has been acquired by Rapid7...huh!? Too bad Qualys - maker of my favorite OS/network vulnerability scanner - missed this opportunity!According to the Rapid7 acquisition FAQ Metasploit will remain open source but with a commercial twist. I hope it only gets better...fingers crossed.Hey at least Capitalism prevailed...it's dying ...
Continue Reading... -
13 Oct 2009
Latest version of LANguard worth considering
Have you seen the new - OK, it's not that new any more - version of LANguard (formerly LANguard Network Security Scanner)? It's certainly a tool worth checking out if you do vulnerability scanning.I've been using LANguard for years for share finding and authenticated scanning and it does both very well. The biggest change in the latest version is the user interface. I've never been a big fan and I'm ...
Continue Reading... -
12 Oct 2009
Cool tool for cracking/resetting SQL Server passwords
Elcomsoft has a neat - and relatively new - tool called Advanced SQL Password Recovery I thought you may be able to benefit from. It can be used to change any SQL Server databases protected by a password included SQL Server 2000, 2005 and 2008. All you need is access to the master.mdf file. SQL Server optional.I was going to show a screenshot but there's not that much to show...you ...
Continue Reading... -
21 Sep 2009
My latest security content
Here are a few new pieces just published. Enjoy!The lowdown on PCI complianceTesting rich Internet applications: 2009's best free toolsBig Brother or lowly minion - finding your role in ITBe sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, my Twitter updates, and more....
Continue Reading... -
02 Sep 2009
Interesting flaw in Sears’ Web site all too common
Check out this bit about a security flaw recently revealed on Sears' Web site. As the researcher alluded to, hacking and security are way more than people exploiting known software flaws. There are so many other security issues with Web applications. I see it all the time when doing my manual analyses on Web sites/applications. The sky is the limit for these business logic vulnerabilities and I suspect it'll always ...
Continue Reading... -
29 Jun 2009
Great source code analysis tool
Finally, I've found an affordable and effective static source code analysis tool! It's called CxDeveloper - a product Israel-based Checkmarx that's distributed/supported by U.S.-based Security Innovation. Whew....it's a little confusing but what can you do.I've used CxDeveloper for over a year now and, like most products, it's not perfect. It crashes unexpectedly every now and then, it generates false-positives, its licensing process is kludgy and old-fashioned, and its reporting capabilities ...
Continue Reading... -
04 Jun 2009
My new security vulnerability scanning service
Well, I'm officially on the SaaS market. I've just launched my security vulnerability scanning service for both basic external security scans as well as the PCI Council's mandated Authorized Scanning Vendor (ASV) scans.Here's what I just posted on my Web site:Whether you need to minimize your investment in information security and compliance, you’re in need of an easy way to discover the low-hanging vulnerabilities, or you need help certifying your ...
Continue Reading... -
03 Jun 2009
Neat (and free) tool for finding Flash flaws
HP's Application Security Center recently released SWFScan - a standalone tool that decompiles Flash applications and searches for security holes inside the code. Very cool.It's pretty surprising how many vulnerabilities Flash files can contain including XSS, embedded SQL statements, encryption keys, login credentials and more. Definitely worth downloading and taking it for a spin. Here's a screenshot of the interface and some findings:Also, check out Billy Hoffman's video walkthrough of ...
Continue Reading...
Resources
Client Testimonials
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”
(IT managed services firm)
Kevin has written/co-written 12 books on information security including one of the best-sellers of all time:
