Re: Vulnerability? Or...not so much?

[Vik Solem <vik.solem () TUFTS EDU>]

On Apr 3, 2010, at 23:27 , Charles Buchholtz wrote:
> On Sat, Apr 03, 2010 at 09:35:58PM -0400, David Shettler wrote:
> > Unfortunately, the vendor refuses to acknowledge that the problem
> > is a
> > security issue, and thus won't remedy it.  Their opinion is that the
> > URI randomization, and 60 minute temporary nature of the files is
> > sufficient 'security'.
...
> A sixty minute password is worse than a one-time pad or two factor,
> but it's better than a password that is changed monthly.  This might
> be better than your normal authentication, or it may be worse.

When I think about a short term password I assume that it's for the
purpose of temporary access in order to set a long term password.  In
that case, a sixty minute password might be used a few times a year to
help a user reset their long term password.  In the case of print
jobs, it sounds like there may be tens or hundreds of print jobs per
week, which provides a much larger overall attack surface for an
attacker.  Furthermore, in the case of an account password, there is
likely auditing which will help to indicate access by an attacker.
I'm guessing that this printer is not providing detailed access logs
for such a purpose.

Unfortunately, for some vendors the only way they choose to correct
security flaws is if their risky behavior is made public.  From a
business point of view they may have the position that if their
customers don't care about then they don't have to care either.  They
may be right.  Their customers may get upset about some things (e.g.
if the printer doesn't work), and may not get upset about others.
They need to spend their limited resources where they get the best
return on investment.

... just my 2 cents.

-Vik

Vik Solem
Sr. Applications Risk Consultant
Information Security
Tufts University UIT / 617-627-4326

Check Out the UIT Information Security Team blog
http://blogs.uit.tufts.edu/infosecteamblog/