RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

From: Richards, Jim (jim.richards_at_dot.state.wi.us)
Date: 06/20/05

Next message: Adam Shostack: "Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

Previous message: R. DuFresne: "Re: [fw-wiz] Equifax Canada"
Maybe in reply to: Marcus J. Ranum: "[fw-wiz] Transitive Trust: 40 million credit cards hack'd"
Next in thread: Eugene Kuznetsov: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
Reply: Eugene Kuznetsov: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Behm, Jeffrey L.'" <BehmJL@bvsg.com>, "Marcus J. Ranum" <mjr@ranum.com>, David Lang <david.lang@digitalinsight.com>
Date: Mon, 20 Jun 2005 15:51:39 -0500

The problem with that analogy is that the bear will be much more motivated
and persistent when the runner is coated in honey (or credit card
information).

Jim Richards
Computer Security Officer
Wisconsin Department of Transportation

-----Original Message-----
From: Behm, Jeffrey L. [mailto:BehmJL@bvsg.com]
Sent: Monday, June 20, 2005 11:26 AM
To: Marcus J. Ranum; David Lang
Cc: Firewal Wizards
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

On Sunday, June 19, 2005 4:40 PM, Marcus J. Ranum spake:

>David Lang wrote:
>> 2. require authentication that isn't fully contained on the
>> remote system (i.e. a token or one-time password, a digital
>> certificate with a passphrase is NOT good enough)
>>
>That doesn't work, either. If you assume that the endpoint is insecure
>(and it is, so that's a safe assumption) the 2 factor authentication
works
>only because it's harder to bypass than a password. If everyone was
>using 2 factor authentication, you can bet hacker toolkits would be
>full of nasty rootkits and malware that stole live sessions, or typed
>keystrokes into live sessions once they came up (transparently, of
course)
>
>mjr.

True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
point, it can be effective. You don't gotta outrun the bear, just
the guy next to you.

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Adam Shostack: "Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"

Previous message: R. DuFresne: "Re: [fw-wiz] Equifax Canada"
Maybe in reply to: Marcus J. Ranum: "[fw-wiz] Transitive Trust: 40 million credit cards hack'd"
Next in thread: Eugene Kuznetsov: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
Reply: Eugene Kuznetsov: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]