Educause Security Discussion mailing list archives

Re: iPad and access to university ERP

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 22 Jul 2010 10:25:16 -0400

To take this discussion down a different road .. our findings are that the weak point of this process is the passwords that people us to secure their RDPsessions.


Right now, there are 12 IPs scanning our campus looking for RDP sessions to launch a brute force attack against.

We recommend at least 15 character passwords (usual caveats, upper, lower, numbers, no dictionary words, etc.)

I wouldn't worry so much about someone sniffing the pages flying thru the air .. I would worry more about them planting 
a key logger on the base machine :-)

My 2 cents.

Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Thursday, July 22, 2010 8:08 AM -0600 "SCHALIP, MICHAEL" <mschalip () CNM EDU> wrote:

My point is that this kind of connection isn't persistent.  Realistically - someone would have to be sniffing the 
traffic - discover the session - attempt to
"brute force" it - and hope to get something meaningful from the session.

Yeah - sometimes "good enough" is just that.....(just my take....)

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis 
Kletnieks
Sent: Wednesday, July 21, 2010 9:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

On Wed, 21 Jul 2010 16:45:27 MDT, "SCHALIP, MICHAEL" said:

But.....given that the session *is* encrypted - and not persistent-
wouldn't
*any* kind of encryption be serviceable for something like this?


*any* kind? Given today's CPU speeds, 40 bit encryption is essentially rot-13.
Brute-force test all 1,099,511,627,776 keys in a few minutes.  If you have a botnet of more than a few hundred 
machines, it will take more compute power to
distribute the job than it will to break the keys.  Still think "*any*" is good enough? :)



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

Current thread:

Re: iPad and access to university ERP, (continued)
- - - Re: iPad and access to university ERP James Peluso (Jul 24)
    - Re: iPad and access to university ERP Brad Judy (Jul 22)
    - Re: iPad and access to university ERP Brad Judy (Jul 22)
    - Re: iPad and access to university ERP John Hoffoss (Jul 22)
    - Re: iPad and access to university ERP Bret Ingerman (Jul 23)
    - Re: iPad and access to university ERP Richard Hopkins (Jul 22)
    - Re: iPad and access to university ERP Roger Safian (Jul 22)
    - Re: iPad and access to university ERP Richard Hopkins (Jul 22)
    - Re: iPad and access to university ERP Valdis Kletnieks (Jul 21)
    - Re: iPad and access to university ERP SCHALIP, MICHAEL (Jul 22)
    - Re: iPad and access to university ERP Joel Rosenblatt (Jul 22)
    - Re: iPad and access to university ERP Valdis Kletnieks (Jul 24)