Wednesday, November 26, 2008
Windows pen testing - access tokens
Tuesday, November 25, 2008
Simple but dreadful, part 3 - Workstation local administrator
- Logon scripts with clear text passwords (noooo!!!!!!!!!!)
- Scripts from SMS or other central management tool with clear text passwords (believe me, the users will found that!)
- That-same-very-secret-password-that-only-those-ten-guys-know-about-for-all-boxes mistake (yes, I mentioned that before. Just in case)
- Different passwords generate by a "security by obscurity" algorithm that uses the name of the workstation as input. Hey, if it's a bad idea on encryption why would it be a good idea for passwords?
Friday, November 21, 2008
After all, how infosec is related to SOX??
Friday, November 14, 2008
I've never seen my previous CSO role so well explained
Mogull on adaptative Auth and AuthZ
- "User: This is an area I intend to talk about in much greater depth later on. Basically, right now we rely on static authentication (a single set of credentials to provide access) and I think we need to move more towards adaptive authentication (where we provide an authentication rating based on how strongly we trust that user at that time in that situation, and can thus then adjust the kinds of allowed transactions). This actually exists today- for example, my bank uses a username/password to let me in, but then requires an additional credential for transactions vs. basic access.
- Transaction: As with user, this is an area we’ve underexplored in traditional applications, but I think will be incredibly valuable in cloud services. We build something called adaptive authorization into our applications and enforce more controls around approving transactions. For example, if a user with a low authentication rating tries to transfer a large sum out of their bank account, a text message with a code will be send to their cell phone with a code. If they have a higher authentication rating, the value amount before that back channel is required goes up. We build policies on a transaction basis, linking in environmental, user, and situational measurements to approve or deny transactions. This is program logic, not something you can add on."
Friday, November 7, 2008
Sarbanes Oxley, good to hear people questioning
John Pescatore is right when he says that talking about less regulation at this time seems to be not aligned with the current crysis, but the article he is pointing to is very precise on saying that the costs from SOX are pretty high and, as we could see, it wasn't able to prevent cases like Bear Sterns, Lehman Bros., AIG and Merrill Lynch. Accountants are as creative as lawyers, they will always look for breaches in the controls (laws) to do their magic.
SOX brought a lot of money to Information Security, but it also brought some directed focus on some controls that are not always the most required for all organizations. It would be nice to see a review of the law, verifying its results and actual costs.
The WPA sky is not falling
A lot of noise about a new research that "cracked" WPA was made this week. Well, there are more details about it today, and they clearly show that the WPA sky is not falling.
There is a very good abstract of what is happening on the article above:
"To describe the attack succinctly, it's a method of decrypting and arbitrarily and successfully re-encrypting and re-injecting short packets on networks that have devices using TKIP. That's a very critical distinction; this is a serious attack, and the first real flaw in TKIP that's been found and exploited. But it's still a subset of a true key crack."
So, it's not the final attack against WPA protected networks, but it is a very important building block for more elaborate attacks. I can see that in a near future we will see more serious stuff being done using this as a starting point. Keep your ears open.