Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Fwd: Re: new opensource security system product launched]

from [Michael Shirk] Network Security [Permanent Link]
Subject: RE: [Fwd: Re: new opensource security system product launched]
Date: Wed Oct 13 08:48:41 EDT 2004 
(Note: the following is not a plug, but a reference). In the new book from 
Syngress, The Mezianic Agenda-Hacking the Presidency, by Dr. Herbert H. Thompson
Spyros Nomikos, the ficitious security expert is annoyed by a blowheart who is 
pushing a new "uncrackable" authentication system. In the end, the guru finds 
he is not doing ANY checking on the server, so he executes a cmd shell on the 
MSSQL server and rewrites the homepage for about how much of a fool he is. (My 
opinion: so far great reading on the book).
This speaks to the overall security controls needed for web applications and 
the secured storage of the logon information. If the overall controls break 
down, it does not matter if you have a minimum of 24 characters for passwords, 
the password will be there for the taking. (Note: I like 24 character passwords 
:-) )
Regards,
Shirkdog
Security Information
http://www.shirkdog.us
-----Original Message-----
From: simon@xhz.ca [mailto:simon@xhz.ca]
Sent: Saturday, October 09, 2004 9:47 PM
To: webappsec@securityfocus.com
Subject: Re: [Fwd: Re: new opensource security system product launched]
Importance: Low

why stop with user id and password. 

look at other levels of authentication. 

lets go beyond user id and password and look at other uses for this 
authentication method 

Like ask for personnal information? 
You can google for websites, forums and newsgroups, even mailing lists can 
be googled, and if you are the target of a hacker, the hacker will do his 
detective work and find all the information; wife's name, children's names, 
dog's name, date of marriage, and so on...
There was a good document I read some time ago that explained the power of 
Google for detective work like this, if I find it I'll post it in this 
thread (if the discussion is still around this topic).
And beside personnal info, what could you ask for, a second password? Hey 
lets have a username and four password of 8 chars each! 
The problem is much more in the user's hand.  He will put his password in 
some file which can be read by spywarez, friends, friends of friends, he 
might even disclose the pass to a friend of his, by email!  There is no way 
at the auth level to be more secure than ask for a user&pass, anything more 
is fancy and useless.  The only thing that will be good is to enforce a 
strong password policy, to force users to change it (and while doing so, why 
not educate them on the importance of not disclosing personnal info!).
And if your users are intelligent, then you don't need anything more, they 
will not tell their password and their password will contain letters and 
numbers, capitals, punctuation and so on... 
Simon
--
Simon Lemieux (Simon@Xhz.ca)


!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
CryptoMail provides free end-to-end message encryption.  
http://www.cryptomail.org/   Ensure your right to privacy.
Traditional email messages are not secure.  They are sent as
clear-text and thus are readable by anyone with the motivation
to acquire a copy.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Likelihood of brute force attacks against web apps, Haroon Meer
Next by Date:  RE: aspx applictions SQL Injection, Bénoni MARTIN
Previous by Thread:  RE: [Fwd: Re: new opensource security system product launched], Michael Silk
Next by Thread:  RSS Feed List, randori .
Indexes:  [Date] [Thread] [Top] [All Lists]