The security grab bag: Is Treo hacking overrated?

I’ve been ranting lately about things that bug me. This week, I’ll cover a variety of topics that have nothing to do with one another other than my level of excitement.

Elemental Security

Elemental Security's co-founder and CTO, Dan Farmer, is making headlines again. Farmer is famous for his 1995 vulnerability scanner, SATAN (Security Administrator's Tool for Analyzing Networks). Its release ushered a new age of hacking and hacking defense. Dan’s always a good guy for a quote, and during SATAN’s release he told computer security defense vendors something along the lines of, “You’re not mad at me for releasing SATAN. You’re mad at me for releasing it for free.”

His software, Elemental Compliance, is winning kudos and awards for its unique security approach, including a 2006 Technology of the Year award from InfoWorld. With Elemental Compliance, every managed computer acts like a nosy neighbor, looking for arbitrary applications, open ports, running processes, and the content of configuration files and registry database entries. It excels at rules-based access control defined by easy scripting language. As Farmer says, “We can map the way you talk and think about security.”

Here are some examples of types of policies you can define with Elemental Compliance:

-- West Coast clients running Kazaa cannot connect to our servers
-- Send my Windows policy to my Windows machines in my Sales Active Directory group
-- Block VPN users from accessing the corporate mail servers

All of this is done through Elemental Compliance's clickable GUI. The product relies on an Oracle back end, an Apache/Tomcat server center, and a Python-like interpreted scripting language called Fuel. It works with Windows, Red Hat Linux, Solaris, AIX 5.2/5.3, HP-UX 11i, and Mac OS X (Panther and Tiger).

Treo Hacking

I finally upgraded my aging, clunky cell phone with a new Treo 650. I don’t want to say that my old cell phone was ancient, but whenever I made a trip to Tokyo, I seemed to cause spontaneous laughter from friends and strangers whenever I pulled it out. Old tech is not the way to gain respect in the Land of the Rising Sun.

Treo phones are probably second only to BlackBerries when it comes to customer loyalty. After buying one and using it during the past few weeks, I have to agree: The Treo 650 is a great all-around cell phone.

I was especially excited to download dozens of free Palm OS-ready software programs and games to my Treo. As a professional penetration tester, I downloaded every pen testing and hacking tool I could find. I was delighted to learn that The Hacker’s Choice Hydra brute-force password-guesser program works with the Palm OS. I was also able to find war dialers, port scanners, Telnet programs, FTP servers, VNC, and several SSH tools. I put them all to the test -- go to my Security Adviser blog to see my Treo screenshots.