Security Basics mailing list archives

Re: Bank Of Montreal Online Security

From: Davin Enigl <davinenigl () comcast net>
Date: Tue, 30 Oct 2012 08:04:38 -0700



On 10/30/2012 04:55 AM, Alexander Meesters wrote:

i dont think brute-force is the issue here, most likely a attack on such a system would be by sql-injection, once 
they have the credentials its easy enough to utilize rainbow tables in order to get a useable password. 

although its unlikely a bank would use a unsave hashing algorithm like md5 or sha1, the rainbow tables available 
today for those algorithms are up to 12 characters in length. 

IMHO they, and for that matter, everybody are far better off using pass-phrases, for example:"i do not like waffles", 
or "my 2 grand kids are awesome!" 
its both easy memorable and though to crack, and far exceeds any available rainbow table out there!


I worked for the last five years on the NSA/NIST SHA-3 hash project. I
assure you, if you do not double-salt your password hashed (even SHA-3)
--- then you are inviting rainbow pre-imaging.

Double salt, now! Corporate salt and individual user salt. Both. See how
to stop password cracking at:  http://crackstation.net/  This is the
best site I've ever seen of this subject.

Also, hackers only have to be right once. They are not stupid. They do
not "brute-force" anything. They APT -- or variations there-of.
http://en.wikipedia.org/wiki/Advanced_persistent_threat

--Davin Enigl


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Bank Of Montreal Online Security mrtolton (Oct 29)
- RE: Bank Of Montreal Online Security Trey Keifer (Oct 29)
  - RE: Bank Of Montreal Online Security Alexander A. Kelner (Oct 30)
    - RE: Bank Of Montreal Online Security Dave Kleiman (Oct 31)
    - RE: Bank Of Montreal Online Security Alexander A. Kelner (Oct 31)
- <Possible follow-ups>
- Re: Bank Of Montreal Online Security hankveins (Oct 30)
  - Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
- Re: Bank Of Montreal Online Security Alexander Meesters (Oct 30)
  - Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
  - Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
    - RE: Bank Of Montreal Online Security Scott Herbert (Oct 31)