Tuesday, October 31, 2017

For my Computer Security and Ethical Hacking students.
FireEye Releases Managed Password Cracking Tool
FireEye on Monday released a tool designed to help red teams manage password cracking tasks across multiple GPU servers. Called GoCrack, the open source tool provides an easy-to-use, web-based real-time UI to create, view, and manage password cracking tasks.
The server component can run on any Linux server running Docker, while users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.
Password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements,” FireEye’s Christopher Schmitt explained in a blog post. “Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations."
GoCrack is available for download from GitHub, along its source code.




A Security philosophy?
Life Between Absolutes - The Challenge of a Security Professional
Security has never been about being ‘secure’ or ‘insecure’; I think we as an industry of professionals can broadly agree on this. What we don’t seem to agree on, pretty much ever, is how to strike the balance of good enough security.
In what feels like a never-ending struggle, I bear witness to the results of this on a daily basis working on the provider side of the problem. Over-engineering solutions leads to resentment and distrust from the business side. Under-engineering leads to situations of blame and catastrophe. I don’t think either end is a good result.
So, where’s the middle?
Strive for a defensible result. In other words, when things go wrong, and you’re faced with a bad day, make sure you can defend your strategy and approach in front of a court of law and public opinion. Do not only what the bare minimum calls for but what is necessary and proper. It’s that last word that will get you into trouble, I think.
Lawyers will tell you that “necessary and proper” is a legal term. It’s a way to protect yourself, your customers, your shareholders and executives. It’s doing things “just right.” It’s acknowledging that there will be mistakes and accounting for them. When you have a communications breakdown and someone misses a patch or makes an unauthorized change, it’s critical to know how fast you can catch it and what you do about it.


No comments: