Firewall Wizards mailing list archives
RE: A little paranoia for the weekend...
From: Paul Robertson <proberts () patriot net>
Date: Tue, 29 Jul 2003 17:03:22 -0400 (EDT)
On Tue, 29 Jul 2003, Josh Welch wrote:
Sure. That's what one-time passwords are for ;-)Classic security/admin mindset-- The data is often much more important than the credential. Protecting the credential doesn't solve the problem for most situations. That's why we spent so much time as an industry on SSL, and not enough on Web server security.In this case, however, it seems to have been the credentials that were compromised. From what I have seen of gotomypc, their data security is pretty good. The problem lies in keeping secure credentials that may be used in god knows what kind of circumstances. The instance of the trojaned terminal at some public location seems to be how this type of system would be most likely compromised. Josh
But keystroke loggers aren't just for passwords, and lots of trojans have contained screen scrapers for a while. The point of the password is to limit access to the data for most users (admin mindsets are about access to machines- that's why it's a classic issue.) Solving the "credential isn't compromised" problem is only a part of the solution, and may only be the most trivial of them. For instance, remote access may only be valid for a small window of time, but one look at the data may devistate an organization. Thinking of keyboard loggers and trojans as password snooping devices only narrows your defenses. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- A little paranoia for the weekend... Josh Welch (Jul 25)
- Re: A little paranoia for the weekend... ark (Jul 29)
- Re: A little paranoia for the weekend... Paul Robertson (Jul 29)
- RE: A little paranoia for the weekend... Josh Welch (Jul 29)
- RE: A little paranoia for the weekend... Paul Robertson (Jul 29)
- Re: A little paranoia for the weekend... ark (Jul 29)
- Re: A little paranoia for the weekend... Paul Robertson (Jul 29)
- Re: A little paranoia for the weekend... ark (Jul 29)
- <Possible follow-ups>
- RE: A little paranoia for the weekend... Behm, Jeffrey L. (Jul 29)
- RE: A little paranoia for the weekend... Paul Robertson (Jul 29)
- Re: A little paranoia for the weekend... Joseph Steinberg (Jul 29)
- RE: A little paranoia for the weekend... Ben Nagy (Jul 30)