RE: A little paranoia for the weekend...

[Paul Robertson <proberts () patriot net>]

On Tue, 29 Jul 2003, Josh Welch wrote:

> > > Sure. That's what one-time passwords are for ;-)
> >
> > Classic security/admin mindset--
> >
> >   The data is often much more important than the credential.  Protecting
> > the credential doesn't solve the problem for most situations.  That's why
> > we spent so much time as an industry on SSL, and not enough on Web server
> > security.
> In this case, however, it seems to have been the credentials that were
> compromised. From what I have seen of gotomypc, their data security is
> pretty good. The problem lies in keeping secure credentials that may be used
> in god knows what kind of circumstances. The instance of the trojaned
> terminal at some public location seems to be how this type of system would
> be most likely compromised.
> Josh

But keystroke loggers aren't just for passwords, and lots of trojans have 
contained screen scrapers for a while.  The point of the password is to 
limit access to the data for most users (admin mindsets are about access 
to machines- that's why it's a classic issue.)  Solving the "credential 
isn't compromised" problem is only a part of the solution, and may only 
be the most trivial of them.  For instance, remote access may only be 
valid for a small window of time, but one look at the data may devistate 
an organization.  Thinking of keyboard loggers and trojans as password 
snooping devices only narrows your defenses.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards