James Tarala

Password Assessment with LC6 – Why it Matters for Auditors

Posted on by James Tarala

Last week the researchers over at the L0phtCrack team (Christien Rioux, Chris Wysopal, and Peiter Mudge Zatko) released a new version of their famous tool – l0phtcrack, this time known as LC6. The tool has finally returned from its long slumber and is now available for download and purchase from their website (http://www.l0phtcrack.com/index.html). And can I just say to these developers, Welcome back!

The million dollar question security engineers and auditors are probably asking right now is, why would I willingly pay for a password cracking tool when there are free tools like John the Ripper, LCP, and Cain & Abel available that will do the same thing?

Well, I’m glad you asked…

LC6 has a feature called – “Display Passwords when Audited” which can be disabled.

That feature alone should make this the password cracking tool of choice for any security auditor. If you’re an auditor, do you really want to know what your users’ passwords are? Or do you simply want to know how long it takes to crack the passwords and whether they are in compliance with the organization’s password policies? It seems to me as an auditor, we want to protect our passwords and our hashes from inadvertent disclosure. What better way to do that than not displaying them at all?

Auditors, password assessment should be a part of your testing regiment, but only in a controlled manner and with proper management authorization. Although I don’t get any corporate sponsorship for saying this, I think we should consider LC6, to protect our integrity as auditors and yet still be able to test a critical system control.

Crack responsibly…

James Tarala

Checklists a Day: Week in Review – May 30, 2009

Posted on by James Tarala

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of your are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well.

So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

So, from all the folks at Enclave Security, enjoy this week’s audit checklists and tools.

Audit Checklists & Security Guides:

Auditing Microsoft Windows Vista Systems

Auditing Unix Systems

Auditing Outsourced Business Functions

Auditing Cisco Routers (Old Link Removed)

Auditing Bank ATM Machines (1)

Auditing Bank ATM Machines (2) (Old Link Removed)

Auditing Change & Patch Management (Old Link Removed)

Auditing Mac OS X Systems (Old Link Removed)

Audit Tools:

NEWT Professional

(Inventory & Assessment Tool)

Lynis

(Unix Audit Scripts)

Netifera

(Network Assessment Tool)

Nipper

(Network Device Audit Tool)

OpenVAS

(Vulnerability Assessment Tool)

Microsoft BSA

(Windows Security Assessment Tool)

ClamXav

(Mac OS X Anti-Malware Tool)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.