Net security software exposed

Swiss researchers have found a way around the most commonly used security system to protect passwords over the internet
http://news.bbc.co.uk/1/hi/technology/2785145.stm

--
Regard:
Joh@nnes
"If you know neither the enemy nor yourself,you will succumb in every battle"
0
Johannes
2/22/2003 12:44:00 AM
grc.security 16608 articles. 3 followers. Follow

5 Replies
1026 Views

Similar Articles

[PageSpeed] 8
Get it on Google Play
Get it on Apple App Store

The rebuttal.

http://slashdot.org/articles/03/02/20/1956229.shtml?tid=93&tid=172

Nils
0
Nils
2/22/2003 9:38:00 AM
Nils R Grotnes <nils@paragon.no> wrote in 
news:a53737ea4fa06fce176c2e1af9a62079@nilses.paragon.no:

> http://slashdot.org/articles/03/02/20/1956229.shtml?tid=93&tid=172

Thanks, Nils.

It seems to me that the issue is resolved more or less. It also seems 
that the vulneribility could be limited by getting ones mail then going 
off line rather than allowing periodic 'refreshing' one's in-box.
So it is convenience vs security.

-- 
Alisdair

"Cum catapultae proscriptae erunt tum soli proscripti catapultas 
habebunt."
0
Alisdair
2/22/2003 11:30:00 AM
Alisdair

>> http://slashdot.org/articles/03/02/20/1956229.shtml?tid=93&tid=172
> It seems to me that the issue is resolved more or less. It also seems

There's a fix, and no known hostile code, so yes it is resolved. It's
also not an easy attack to do, a lot of conditions has to be met. But
it was a real problem, although with the implementation, not the
protocol (in contrast with what was said in the bbc article. At least
that was the coders say, and I see no reason to disbelieve them at
this stage.

> that the vulneribility could be limited by getting ones mail then
> going off line rather than allowing periodic 'refreshing' one's
> in-box. So it is convenience vs security.

Now you've lost me. You'd better describe in more detail how you think
periodic refreshing would make you vulnerable.

Updating to the newer version seems a better way, in any case... ;-)

Nils
-- 
Notery Sojac
0
Nils
2/22/2003 1:53:00 PM
Nils R Grotnes <nils@paragon.no> wrote in
news:cdd913c549618a2a099720e61bf11060@nilses.paragon.no: 

>> that the vulneribility could be limited by getting ones mail then
>> going off line rather than allowing periodic 'refreshing' one's
>> in-box. So it is convenience vs security.
> 
> Now you've lost me. You'd better describe in more detail how you
> think periodic refreshing would make you vulnerable.
> 

If I read the articles correctly, the way that the original packets 
were captured was due to the periodic refreshing of the clients mail. 
Thus a constant exposure of the PW to intercept. From that I was 
hypothesizing that simply grabbing one's mail and then severing the 
conexxion would avoid having the PW constantly intercepted (every 5 
minutes or so).


> Updating to the newer version seems a better way, in any case...
> ;-) 
> 

No doubt about it. Have a good weekend!

-- 
Alisdair

"Cum catapultae proscriptae erunt tum soli proscripti catapultas 
habebunt."
0
Alisdair
2/22/2003 3:08:00 PM
Alisdair

>>> that the vulneribility could be limited by getting ones mail then
>>> going off line rather than allowing periodic 'refreshing' one's
>>> in-box. So it is convenience vs security.
>> Now you've lost me. You'd better describe in more detail how you
>> think periodic refreshing would make you vulnerable.
> If I read the articles correctly, the way that the original packets
> were captured was due to the periodic refreshing of the clients mail.
> Thus a constant exposure of the PW to intercept. From that I was
> hypothesizing that simply grabbing one's mail and then severing the
> conexxion would avoid having the PW constantly intercepted (every 5
> minutes or so).

Ah! I should have read it more thoroughly. The attacker needs you to
supply the packets to be manipulated, I was thinking they could do
that part themselves. Then it seems sending logon packets less often
will make the cracking take longer time, I agree.

Thanks for the explanation.

Nils
-- 
Notery Sojac
0
Nils
2/22/2003 4:28:00 PM
Reply:

Similar Artilces:

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

Software [In]Security: Twitter Security
Making Your Thoughts as Small and Incomplete as Possible Just for the record, I don't use Twitter. But if this column were a Twitter entry, it might read something like: http://www.informit.com/articles/article.aspx?p=1350268&cid=nl_DR_DAILY_T -- "If U know neither the enemy nor yourself,U will succumb in every battle" ...

Is security software becoming a security risk?
"Due to bugs in antivirus software, the security suite becomes a risk by itself, and adding multiple pieces of security software makes the problem worse, not better "... <http://www.infoworld.com/article/07/11/21/Is-security-software-becoming-a-security-risk_1.html> or http://preview.tinyurl.com/2nkk9r -- js http://justheadlines.exofire.net john s. smith wrote: > "Due to bugs in antivirus software, the security suite becomes a risk > by itself, and adding multiple pieces of security software makes the > problem worse, not better "... > ...

Difference between asp.net security 2.0 & asp.net security 3.5 framework?
 HI, What are the difference between asp.net security 2.0 & asp.net security 3.5 framework? ASP.NET 3.5 security for me is almost the same as 2.0 as the former is built on top of the latter with the exceptions of framework specific libraries added to the newer framework. Most likely, your 2.0 applications will run well on 3.5 but not necessarily the other way around. The number of new classes added/improved from 2.0 to 3.5 is published and you may search them using your favorite search engine.  Patrick OliverosWeb Developer - Emerson Electric Asia, Ltd. - ROHQwebthinker.wor...

Security software to secure USB flash drives?
Hello, does anyone know of some software (preferably freeware that would password protect access to a USB flash drive?) Currentlty the drive I have is open wide as soon as it is plugged in. Any help would be appreciated. Paul -- Calculating in binary code is as easy as 01,10,11. Paul Jackson wrote: > Hello, > > does anyone know of some software (preferably freeware that would > password protect access to a USB flash drive?) > > Currentlty the drive I have is open wide as soon as it is plugged in. > > Any help would be appreciated. >...

What do security guards and computer security software have in common???
http://www.securitynewsportal.com/article.php?sid=920&mode=thread&order=0 -- Regard: Joh@nnes� 1216771 Ont.Inc. "Nothing is more damaging to a new truth than an old error" ...

(IN)SECURE Magazine from Net-Security (PDF download)
A little more light reading :-) Latest issue, #13: http://www.net-security.org/insecuremag.php (86 pages, with ads [not animated ads] - like a printed magazine) Archives of past issues: http://www.net-security.org/insecure-archive.php ISSUE 13 (September 2007) * Interview with Janne Uusilehto, Head of Nokia Product Security * Social engineering social networking services: a LinkedIn example * The case for automated log management in meeting HIPAA compliance * Risk decision making: whose call is it? * Interview with Zulfikar Ramzan, Senior Principal Re...

Book Review: Software Security
I'm jealous. No seriously. If Cigital is actually ran as depicted in the book Software Security - Building Security In, I have to give kudos to Gary and the gang for making an impressive environment for software security. I'm a fan of Gary's writing. If you are a regular reader, you know I loved both his books on Building Secure Software and Exploiting Software. This latest book is, in my mind at least, a balancing act between the two previous books on the topic. Gary calls it the "Ying and Yang". Which makes total sense, since the book cover is of exactly that, ...

F-Secure Readies Security Software For Linux
F-Secure Corp. on Tuesday unveiled security software for open-source Samba file servers and Linux, addressing a need that's growing within the enterprise market. The Finnish company announced the availability of antivirus software for Samba that automatically detects and removes viruses from files stored on the server. The new product is meant to protect all Samba-attached computers from malicious code that could enter the network from a Windows or Linux machine. Next month, F-Secure plans to ship a Linux version of F-Secure Policy Manager, which will extend centrally managed ...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

asp.net's built in security. How secure is it?
If I were to use the login control, create user control, and and password recovery control, how secure would my site be? Is asp.net's built in security more secure than the classic session based security? Are there any articles that ouline this? I've got a dba who says he doesn't believe the built in security is secure enough, and invests too much into asp.net (not enough levels of seperation). Though, I personally think that's retarded. The built in security still uses sessions, and if I were building my own session based security I would be using asp.net to create the sessi...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

Researchers Expose Security Flaw in Social Security Numbers
Have you posted your date of birth and birthplace on any of your social networks? If so, you may have provided enough information for hackers to figure out your Social Security number. Well, in theory, anyway. Researchers at Carnegie Mellon University have successfully devised a way to guess a person's Social Security number using statistical analysis. http://www.pcworld.com/article/167975/researchers_expose_security_flaw_in_social_security_numbers.html?tk=nl_spx_h_cbintro -- "If U know neither the enemy nor yourself,U will succumb in every battle" ...

Security Briefs: Security Enhancements in the .NET Framework 2.0
Security Briefs: Security Enhancements in the .NET Framework 2.0 http://msdn.microsoft.com/msdnmag/issues/05/01/SecurityBriefs/default.aspx *********************************************************** Quote *********************************************************** As I write this column, version 2.0 of the Microsoft .NET Framework is at Beta 1. When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1.1 as well as 2.0. I then used WINDIFF.EXE to compare the two text files, and s...

Asp.Net Security Analyser (new security tool by DDPlus)
Hello I'm happy to announce that we (DDPlus) have just released the first stable version of our new Open Source Project: the Asp.Net Security Analyser (ANSA) Asp.Net Security Analyser (ANSA) is a Open Source, Windows based, online tool, that tests the server's security for known vulnerabilities and mis-configurations. The tool was initially designed to allow the protection of ISPs that provide shared hosting services. You can download the source code, use it in your servers and distribute it to who ever you feel appropriate. The project's objective is to create an Ope...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... http://www.linuxsecurity.com/content/view/125195/171/ ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... http://www.engardelinux.org/modules/index/index.cgi -- js ...

Mixing Windows Security and Forms Security ASP.NET 2.0
I have a intranet web application that uses Windows authentication. I want to expose this website to some external users on the internet. Is there a way to use both Forms authentication and Winodws authentication with ASP.NET 2.0? ...

Open software, secure software
Monday, 1 March 2004, 1:51 PM CET Fifty-plus years ago Grace Hopper used her experiences with programming the UNIVAC with FLOW-MATIC (an open-source project) to write her first compiler paper and the modern era of computing programming began. Some would also say that things haven't improved much since her day. Indeed, the National Institute of Standards and Technology (NIST) estimated that in 2001 $59.5 billion annually, about 0.6 percent of the gross domestic product was being lost because of software bugs. The Sustainable Computing Consortium (SCC), an academic, gove...

Web resources about - Net security software exposed - grc.security

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

Social Media Users Unwilling to Sacrifice Social Presence for Security
Users are often blamed as the corrupting factor in password and security systems online. While there have been high profile systemic problems, ...

User security, privacy issues draw sharp contrast between Apple iOS, Google Android in FBI encryption ...
Apple Insider User security, privacy issues draw sharp contrast between Apple iOS, Google Android in FBI encryption case Apple Insider The ...

The majority of IT pros view email as a major security threat
... professionals don’t feel equipped to defend against email-based cyber attacks, according to the findings of a report carried out by email security ...

GOP senator unloads: 'Apple chose to protect a dead ISIS terrorist's privacy over the security of the ...
... terrorist's phone. In the statement, Sen. Tom Cotton (R-Arkansas) accused Apple of protecting "a dead ISIS terrorist's privacy over the security ...

Powerball winners collect $328 million after setting up security at their house
Boston Herald Powerball winners collect $328 million after setting up security at their house Centre Daily Times Maureen Smith, left, and ...

Snowden says Apple security case is most important issue in a decade
... court judge’s request that Apple help the FBI hack the San Bernardino terrorist’s iPhone 5c. Snowden is calling Apple’s battle over security ...

Resources last updated: 2/19/2016 12:19:38 AM