|
||||
|
Tracy Kitten at BankInfo has an interesting article about the Ramnit worm which is worthy of a read (even I would say by the general public). Ramnit is particularly pernicious because:
That said, I’m not sure I agree with the solution espoused:
Certainly a challenge-response methodology would be effective if the response were dynamic (like say an RSA key fob or equivalent smartphone software), however if the two-factor authentication is two static values then there’s nothing that stops the malware from ultimately being designed to capture both factors. It would be “false security” to believe this is a permanent solution. It then goes on to say: Passphrases are better than passwords, but multifactor authentication is the new standard. “Nobody should be using their social-media passwords or phrases for their financial accounts,” Wansley says. While I absolutely agree that users shouldn’t use the same password for financial or other sensitive websites, I’m not absolutely convinced that making stronger passwords is generally an answer. Yes, if you are using straight dictionary words (which the websites should prevent), you are at risk, however a mix of case and say a numeric basically makes the passwords externally uncrackable. That is provided the website properly implements delays and lockouts to the process. In my opinion too much emphasis in the industry is put on strong passwords where people confuse the idea of a compromised hash (the encrypted form of the password) to external brute-force attack. If the former happens one should simply assume the password is compromised regardless of how strong it is. However most recent compromises involve either brute-force external attacks or outright compromise of the cleartext password – those are different animals than a hash loss. Again, a marginally strong password with delays and lockout will easily survive brute-force attack from an external source (ie: the web). That’s not to say a degree of password strength isn’t important, but making password too difficult to remember can be counterproductive as it encourages users to write the passwords down or use other insecure methods. In that regards “passphrases” can be a benefit – they can be easy to remember and strong at the same time. I think too often security professionals focus on what works for them and not the reality of the end user community they are servicing. Sure that gawd awful password complexity requirement is the ideal, but if your end users end up writing it on a post-it or in an Excel spreadsheet the game is over. In theory if the world were filled we universally good people, “bitly” and “TinyURL.com“, which given long URLs provide short ones, are a great idea. However whenever I get one I find that I’m frankly terrified to click on them. Why? Because while they could be going someplace useful, they could also be going to a giant virus laden web site, or a nasty bug exercising Flash app, or even a porn site that’s going to get me in dutch at the job. I mean here’s one: How do you know where it goes? It happens to go to my resume, but it could go to a virus, a trojan, something completely inappropriate (or even illegal). Again, it’s a wonderful idea, and certainly more power to those who can stomach them, but I can’t. Heck I even get them sent to me by security professionals. Granted, even when they are URLs that clearly go to well known sites you are always at risk, but the extra obfuscation (as nice as it is) really increases your risk. No offense to the owners of “bitly” or “tinyURL.com”, they certainly are providing a public service, but it’s one that is too nerve-wracking for this security professional. To add ringtones (or notifications or alarms) to Android phones, connect the phone to your computer and go to the top level of the drive that is mounted. Under that drive you can create (though they may exist already): /alarms or /media/alarms or /media/audio/alarms /notifications or /media/notifications or /media/audio/notifications /ringtones or /media/ringtones or . . . → Read More: Adding ringtones to Android Two links from Intel are particularly useful for desktop/laptop users. First, this tool will find out if the Intel drivers you’re using are up-to-date: http://www.intel.com/p/en_US/support/detect since many if not most desktops/laptops include some Intel based chipset (even if it isn’t the main CPU), then this is a pretty useful site to use. If . . . → Read More: Useful Intel links… This failure of the trusted Certificate Authority (CA) “Comodo”: http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/ highlights something that is becoming more apparent: SSL certificates probably aren’t worth the bits they’re printed on. Forgetting that there is a fairly regular stream of issues with the authorities, companies like GoDaddy issue certificates for all of $12 with nearly . . . → Read More: SSL certs – probably not worth the bits they’re printed on… If you get something like this in your Cisco’s IOS firewall log: Mar 12 15:05:33 192.168.1.1 3129: 003121: *Mar 12 15:03:03.195 EST: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:525214740 1415 bytes is out-of-order; expected seq:525170856. Reason: TCP reassembly queue overflow – session 192.168.1.5:53022 to 208.79.250.63:80 on zone-pair ccp-zp-in-out class ccp-protocol-http sometimes accompanied by hangs in . . . → Read More: Zone Firewall TCP reassembly size I have to say one of my pet peeves is when vendors, and a lot seem to do it today, send emails or leave voicemails acting like we’ve known each other (often sounding like years) when we in fact haven’t even exchanged greetings before. I don’t know if that works for others, but for me . . . → Read More: Dear Vendors… Pretty simple from the console really: vmkfstools -d eagerzeroedthick -i <virtual-disk-source>.vmdk <virtual-disk-target>.vmdk Note that this will completely expand the size of the filesystem (ie: it will no longer be “thin”). I needed this not to convert a “thin” filesystem to “thick” filesystem, but a “thick” filesystem to a clusterable “thick” filesystem. The default . . . → Read More: Converting VMware virtual disk to “eagerzeroedthick” Via SwissInfo: “The computer industry is the only industry that is more fashion-driven than women’s fashion,” Oracle founder Larry Ellison commented on cloud computing recently. “Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane.” I think there’s more to it than just . . . → Read More: Larry Ellison on “Cloud Computing” |
||||
|
Copyright © 2012 mattfahrner.com - All Rights Reserved |
||||
