RE: [fw-wiz] A little paranoia for the weekend...

• Previous message: Josh Welch: "RE: [fw-wiz] A little paranoia for the weekend..."
• In reply to: Josh Welch: "RE: [fw-wiz] A little paranoia for the weekend..."
• Next in thread: ark_at_eltex.net: "Re: [fw-wiz] A little paranoia for the weekend..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Josh Welch <jwelch@buffalowildwings.com>
Date: Tue, 29 Jul 2003 17:03:22 -0400 (EDT)

On Tue, 29 Jul 2003, Josh Welch wrote:

> > > Sure. That's what one-time passwords are for ;-)
> >
> > Classic security/admin mindset--
> >
> > The data is often much more important than the credential. Protecting
> > the credential doesn't solve the problem for most situations. That's why
> > we spent so much time as an industry on SSL, and not enough on Web server
> > security.
> >
> In this case, however, it seems to have been the credentials that were
> compromised. From what I have seen of gotomypc, their data security is
> pretty good. The problem lies in keeping secure credentials that may be used
> in god knows what kind of circumstances. The instance of the trojaned
> terminal at some public location seems to be how this type of system would
> be most likely compromised.
> Josh

But keystroke loggers aren't just for passwords, and lots of trojans have
contained screen scrapers for a while. The point of the password is to
limit access to the data for most users (admin mindsets are about access
to machines- that's why it's a classic issue.) Solving the "credential
isn't compromised" problem is only a part of the solution, and may only
be the most trivial of them. For instance, remote access may only be
valid for a small window of time, but one look at the data may devistate
an organization. Thinking of keyboard loggers and trojans as password
snooping devices only narrows your defenses.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Josh Welch: "RE: [fw-wiz] A little paranoia for the weekend..."
• In reply to: Josh Welch: "RE: [fw-wiz] A little paranoia for the weekend..."
• Next in thread: ark_at_eltex.net: "Re: [fw-wiz] A little paranoia for the weekend..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]