For
my Computer Security and Ethical Hacking students.
FireEye
Releases Managed Password Cracking Tool
FireEye
on Monday released a tool designed to help red teams manage password
cracking tasks across multiple GPU servers. Called GoCrack, the open
source tool provides an easy-to-use, web-based real-time UI to
create, view, and manage password cracking tasks.
… The
server component can run on any Linux server running Docker, while
users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a
container with full access to the GPUs.
“Password
cracking tools are an effective way for security professionals to
test password effectiveness, develop improved methods to securely
store passwords, and audit current password requirements,”
FireEye’s Christopher Schmitt explained in a blog
post. “Some use cases for a password cracking tool can include
cracking passwords on exfil archives, auditing password requirements
in internal tools, and offensive/defensive operations."
… GoCrack
is available for download
from GitHub, along its source code.
A Security philosophy?
Life
Between Absolutes - The Challenge of a Security Professional
Security
has never been about being ‘secure’ or ‘insecure’; I think we
as an industry of professionals can broadly agree on this. What we
don’t seem to agree on, pretty much ever, is how to strike the
balance of good
enough
security.
In
what feels like a never-ending struggle, I bear witness to the
results of this on a daily basis working on the provider side of the
problem. Over-engineering solutions leads to resentment and distrust
from the business side. Under-engineering leads to situations of
blame and catastrophe. I don’t think either end is a good result.
So,
where’s the middle?
… Strive
for a defensible result. In other words, when things go wrong, and
you’re faced with a bad day, make
sure you can defend your strategy and approach in front of a court of
law and public opinion.
Do not only what the bare minimum calls for but what is necessary
and proper.
It’s that last word that will get you into trouble, I think.
Lawyers
will tell you that “necessary and proper” is a legal term. It’s
a way to protect yourself, your customers, your shareholders and
executives. It’s doing things “just right.” It’s
acknowledging that there will be mistakes and accounting for them.
When you have a communications breakdown and someone misses a patch
or makes an unauthorized change, it’s critical to know how fast you
can catch it and what you do about it.
No comments:
Post a Comment