Security Basics mailing list archives
Device Authentication - The answer to attacks lauched using stolen passwords?
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Tue, 5 Sep 2006 12:17:25 -0700
A recent "self-serving" report by Phoenix Technologies indicated that 84 of attacks could have been prevented only if Device Authentication was used in addition to user authentication. - Evidence Abound: · Losses from stolen IDs and passwords far exceeded damages from worms, viruses, and other attack methods not utilizing logon accounts · Vast majority of attackers, 78 percent, committed crimes from their home computers; most often using unsanctioned computers with no relationship to the penetrated organization · 88 percent, of those crimes were committed from a home PC using stolen IDs and passwords and following normal logon procedures. - Link to full report: https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf -Their solution? Use Trusted Platform Module to authenticate devices. - Problem? TPM can also be used to force DRM. (EFF and ACLU member don't like DRM to say the least) - Alternatives? 1) Be a sitting duck. Passwords WILL stolen and USED to cause financial damage; 2) Use software based device authentication. e.g. Passmark as used by Bank of America 3) Create a world-wide PKI, issue SSL certificates to machines as well as users, and then perform client side authentication from the server. 4) Use IP addresses to perform machine authentication. <grin> - Read more at: http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243 Any thoughts? --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 05)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)