Vulnerability Development mailing list archives
Re: Single SignOn
From: thegnome () NMRC ORG (Simple Nomad)
Date: Thu, 24 Feb 2000 08:55:43 -0600
The best (or worse, depending on perspective) thing about single signon is that it simplifies the cracking process. If an intruder knows that single signon is in use at a corporation s/he wishes to crack, they attack the weakest or least protected system, and then have access to all of them. This is probably the main reason you do not see more info on the net about them. One of the weakest points in the security chain has got to be the poorly-chosen end-user password. Example: 0. Attacker wants to get to mainframe-based payroll system to cut themself a check. The only cool privately held thing in their toolbox is a Unix exploit which requires local access. BTW the attacker is a disgruntled employee. 1. Attacker launches L0phtcrack and sniffs hashes. Cracks some passwords. 2. One of the users cracked also is on Unix, but not in Payroll. 3. Attacker logs in to Unix and runs his exploit. 4. Installs sniffer to capture passwords. 5. Eventually gets a user/password combo for someone in Payroll. Now that I no longer work for a Fortune 200 company, I love Single SignOn ;-) - Simple Nomad - No rest for the Wicca'd - - thegnome () nmrc org - www.nmrc.org - - thegnome () razor bindview com - razor.bindview.com - On Wed, 23 Feb 2000, Vanna P. Rella wrote:
BlueBoar and Friends, I am evaluating 2 products for securing e-commerce applications. These are GetAccess by EnCommerce and Secure Net by IBM. Please break both of these products and let me know which one is more secure. Ok, just kidding. Have any of your heard of any gotchas or security holes with either of these products? I've already checked out the major vulnerability sites cve.mitre.org, securityfocus.com, attrition.org, ntbugtraq.com, etc. I've also checked the usenet. And I can't believe that there aren't any holes. What is the most popular e-commerce single sign-on out there, anyway? Thanks! --- Your Best Friend, Vamprella --- http://www.vamprella.com -- 1998 SN&R Award -- 1999 Losers Award http://www.TheGirlBox.com -- Get TheGirlBox and give her one less thing to complain about. "Worship Me and Await Instructions" *********************************** chickclick.com http://www.chickclick.com girl sites that don't fake it. http://www.chickmail.com sign up for your free email. http://www.chickshops.com boutique shopping from chickclick.com ***********************************
Current thread:
- Information on Raptor Martin M Samson (Feb 20)
- Re: Information on Raptor Yiorgos Adamopoulos (Feb 21)
- (Fwd) Re: vulnerability database Felix Harris (Feb 21)
- Re: Information on Raptor Malikai (Feb 21)
- Re: Information on Raptor James Crooks (Feb 22)
- Re: Information on Raptor Malikai (Feb 23)
- Consulting lameness, RE: Information on Raptor Ben Grubin (Feb 23)
- Single SignOn Vanna P. Rella (Feb 23)
- Re: Single SignOn Simple Nomad (Feb 24)
- Re: Information on Raptor James Crooks (Feb 22)
- office 2k security bug? Torgeir Hansen (Feb 22)
- R: office 2k security bug? Raistlin (Feb 23)
- Fwd: ANNOUNCEMENT: Lighting Firewall for Linux released Grzegorz Stelmaszek (Feb 23)
- Re: Information on Raptor James Crooks (Feb 21)
- Re: Information on Raptor David J Laumann (Feb 21)
- <Possible follow-ups>
- Re: Information on Raptor Marcelo Amaral - ALTAVISTA.NET (Feb 21)
- Re: Information on Raptor CL: Nelson, Jeff (Feb 24)
- Re: Information on Raptor IC&S - Eelco van Beek (Feb 25)
- Re: Information on Raptor Daniel Liebster (Feb 25)
- Re: Information on Raptor Ben Grubin (Feb 24)