paranoidmike's WebLog

Data security (EFS, RMS, DPAPI, PKI) and other security rants

(Security) Tools I frequently use

This may be deemed an exercise in WTF, but I thought I'd share the tools that I have installed on my system that I can't work without.  Some of these help me deal with security issues, some are loosely related to security, and some are just downright Cool-But-Unrelated-To-Security.  If you've already got them all, then you're probably more of a packrat than me, and I'd be worried ;)  If you know of something else that you think I'd really like (aside: wouldn't it be cool if download.com made recommendations to you based on the tools you have, a la Amazon?), comment away!

Enjoy, or skip it and do something useful. [more or less in order of how often I use 'em]

I've got a ton of other stuff installed, but these are the ones I regularly use.  [well, plus the usual array of MS software apps of course...]
[Comments feedback...]
 
Robert: good point, I have all three of those tools installed, but I actually only rarely use them.  For network diagnostics, I have spent way too many years poring over NetMon traces to get to the bottom of all the authentication issues I've encountered, as well as basically any other network or network security issues I've felt compelled to understand.  Basically anytime I can't troubleshoot an issue with FileMon, Netmon or ProcExp, I'll fire up NetMon and capture two traces of a transaction: one of the failing operation, and another of the same (or very similar) operation that succeeds.  Then I just pop open the captures, start comparing them packet by packet until I see a divergence, and then start digging into the data bits of the unique packets.  If I can't figure it out from there, that usually means it's a code-level issue and I'm already drowning :)  [few more tips here]
 
I don't do a lot of remote scanning anymore - not that it isn't useful, but when I'm designing secure solutions (the majority of my consulting work these days), I want to know more than whether certain ports are remotely accessible or what vulnerabilities are currently identified on the box.  The former I can figure out pretty much from within the box itself, and the latter is *always* changing, and the solution shouldn't depend on which unpatched holes are available, since they'll generally be fixed at some point [i.e. "install all current security fixes" is usually all I bother documenting in these solutions, not that anyone needs reminding].
 
Richard: thanks for the offer.  I actually have three approaches to securely managing passwords that I need to protect from prying eyes:
  • Excel w/EFS - I have a spreadsheet that currently has 184 entries, of site, username, password.  I encrypt the spreadsheet using EFS, which given my passphrase and the amount of time it'd take to brute force, gives me plenty of time to reset those passwords if someone ever stole my laptop.
  • MSN Toolbar w/ form fill - if I'm getting prompted to fill in a forms-based username & pasword, these days I find it's reasonable to use the form filling application that comes with MSN Toolbar Suite (the beta that includes the really nice MSN Desktop Search).  It's not perfect, but I believe that the form fill app uses DPAPI to protect my passwords, so it means an attacker needs my domain password before they can get any others.
  • CodeWallet Pro: for storing my passwords on my smartphone, I use CodeWallet Pro.
Note two things:
  • I did not say I'm protecting all passwords to this degree; some of them are just for personalization on all the sites I visit, and frankly I don't care if someone else can spoof me there - not that most of them would bother - they probably would have a better reputation under their own name ;)
  • I am generally avoiding the use of IE's "Save this password for future use" feature, as it stores your usernames & passwords using the Protected Store feature, rather than DPAPI.  The former is LSA secrets-based, so any attacker with admin or LocalSystem can dump them out with tools you can find on the 'net; the latter is the basis for protecting all private keys and other sensitive application data on Windows 2000 and up, and depends on an attacker being able to guess my password to be able to decrypt the data that's protected via DPAPI.  I know not everyone uses a really strong password/phrase, but personally I'm pretty safe against brute-force attacks - domain account, 15-20 character passphrase on average, hardly things you'd find in a dictionary.  Heck, I'm pretty sure that factoring my RSA keys would take less time than brute-forcing the cached credential verifier for my domain passphrase.
Published Saturday, January 29, 2005 5:45 PM by paranoidmike
Filed under:

Comments

 

Robert Hurlbut said:

Where is nessus, nmap, Ethereal, etc.? ;)

Those are the hard core security tools that are missing from your list ...
January 29, 2005 3:19 PM
 

Richard said:

If you need a password manager (.NET).

Also, www.spamcop.net is worth a look.

BTW Thanks for the list.

BTW2 With Adobe Reader 7 you don't really need Speedup.
January 29, 2005 3:36 PM
 

Robert Hurlbut said:

Thanks for the feedback. Great list, by the way. I fire up SysInternals tools many, many times to check on file and registry permission errors I find with software not written or tested by non-administrators.
January 29, 2005 5:17 PM
 

Robert Hurlbut's .NET Blog said:

January 30, 2005 8:16 AM
Anonymous comments are disabled

This Blog

Syndication

Tags

News

Obligatory disclaimer: in case anyone tries to claim otherwise in the future, these postings to my blog come with no warranty, guarantee, support or credentials - either express, implied, overnight delivery or teleported. I think I may know some stuff, but I'm probably wrong.

Archives

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker