Security Basics mailing list archives
Re: security against dbaŽs
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Fri, 13 Feb 2009 13:09:44 +0100
On 2009-02-13 Adam Pal wrote:
Certainly you can have the key stored on the same system without loosing security, lets use for instance a FIPS 140-2 certified device.
Let's use a system that is typical for running database servers, shall we?
Then lets load the "super key" into the machines protected memory,
I'm not familiar with FIPS 140-2, so maybe these are stupid questions, but still: How do you load that "super key" into the protected memory without local users being able to get hold of it? From where are you loading it? How is ensured that local users can't access the key in the protected memory?
so once loaded is functionaly and kills itself in case of intrusion.
To be able to act on an intrusion, you have to *detect* the intrusion in the first place. On top of that, even if you did detect an intrusion, how do you ensure that the attacker isn't able to get the information he wants before the system is shut down (or whatever)? Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: security against dba?s, (continued)
- Re: security against dba?s Ansgar Wiechers (Feb 12)
- Re: security against dba?s Ray Van Dolson (Feb 12)
- Message not available
- Re: security against dba?s Ray Van Dolson (Feb 13)
- RE: security against dba?s Nick Vaernhoej (Feb 13)
- Re: security against dba´s Adam Pal (Feb 12)
- Re: security against dba´s Andre Rodrigues (Feb 12)
- Re: security against dbaŽs Ansgar Wiechers (Feb 12)
- Re[2]: security against dbaŽs Adam Pal (Feb 13)
- Re: security against dbaŽs Ansgar Wiechers (Feb 13)