Educause Security Discussion mailing list archives
Re: Vulnerability? Or...not so much?
From: Vik Solem <vik.solem () TUFTS EDU>
Date: Mon, 5 Apr 2010 11:18:27 -0400
On Apr 3, 2010, at 23:27 , Charles Buchholtz wrote:
On Sat, Apr 03, 2010 at 09:35:58PM -0400, David Shettler wrote:Unfortunately, the vendor refuses to acknowledge that the problem is a security issue, and thus won't remedy it. Their opinion is that the URI randomization, and 60 minute temporary nature of the files is sufficient 'security'.
...
A sixty minute password is worse than a one-time pad or two factor, but it's better than a password that is changed monthly. This might be better than your normal authentication, or it may be worse.
When I think about a short term password I assume that it's for the purpose of temporary access in order to set a long term password. In that case, a sixty minute password might be used a few times a year to help a user reset their long term password. In the case of print jobs, it sounds like there may be tens or hundreds of print jobs per week, which provides a much larger overall attack surface for an attacker. Furthermore, in the case of an account password, there is likely auditing which will help to indicate access by an attacker. I'm guessing that this printer is not providing detailed access logs for such a purpose. Unfortunately, for some vendors the only way they choose to correct security flaws is if their risky behavior is made public. From a business point of view they may have the position that if their customers don't care about then they don't have to care either. They may be right. Their customers may get upset about some things (e.g. if the printer doesn't work), and may not get upset about others. They need to spend their limited resources where they get the best return on investment. ... just my 2 cents. -Vik Vik Solem Sr. Applications Risk Consultant Information Security Tufts University UIT / 617-627-4326 Check Out the UIT Information Security Team blog http://blogs.uit.tufts.edu/infosecteamblog/
Current thread:
- Re: Vulnerability? Or...not so much?, (continued)
- Re: Vulnerability? Or...not so much? Jason Testart (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Matthew Wollenweber (Apr 03)
- Re: Vulnerability? Or...not so much? Gibson, Nathan J. (HSC) (Apr 03)
- Re: Vulnerability? Or...not so much? Dexter Caldwell (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Steve Werby (Apr 04)
- Re: Vulnerability? Or...not so much? SCHALIP, MICHAEL (Apr 04)
- Re: Vulnerability? Or...not so much? Vik Solem (Apr 05)