Skip to main content

The WiKID Blog

Viewing posts by admin

more-proof-that-mutual-authentication-is-needed

Posted by: admin 16 years, 3 months ago

The number of phishing sites soared in October. Phishers are using bot-nets to create fake domains faster than anti-phishing toolbar vendors can blacklist them. It explains why phishers haven't tried to DDOS the blacklists and it shows that getting users to the correct site via strong mutual authentication is the way to go.

read more / 0 comments

logins-for-ftp-sites-offered-for-sale

Posted by: admin 16 years, 3 months ago

According to Techworld, Finjan has discovered that logins for 8,700 FTP servers are for sale.

Using the Alexa.com domain ranking, Finjan found 10 of the top 100 domains in the database, 100 of the top 500 domains, and 50 of those between 500 and 1,000.
My reaction: FTP? Really? You've got to at least hope that it's SFTP.
The hacked servers could be used to distribute crimeware by injecting iframe tags into any webpage stored on the compromised FTP servers. Indeed the server accounts were themselves being traded by a web application able to rank and price them according to their Google page rank for re-sale to other criminals.
Fancy.

read more / 0 comments

more-on-de-perimeterization

Posted by: admin 16 years, 3 months ago

Having just posted on de-perimeterization, I thought that this quote from Scott Borg of the U.S. Cyber Consequences Unit on the consequences of breaches:

"We started seeing huge vulnerabilities," Borg said Wednesday at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. "And portions of those systems were extraordinarily secure. But they were Maginot Lines," susceptible to being outflanked.

read more / 0 comments

bounty-hunters-pay-for-performance-economics-and

Posted by: admin 16 years, 3 months ago

There have been some interesting discussions about incenting judges to set bails appropriately and on the impact commercial bail bondsmen have on the 'failure to appear' rates. I first read about it in the Financial Times Undercover Economist column. The original post I found on Marginal Revolution

read more / 0 comments

better-password-strength-just-one-factor

Posted by: admin 16 years, 3 months ago

Pete over at Spire Security points out the obvvious(which alluded me):

As far as I can tell, Bruce Schneier's current Wired column, MySpace Passwords Aren't So Dumb, is intended to be taken seriously. The article is supposed to be about how "good" passwords on MySpace are these days, and there isn't a hint of irony in his statement:
"But seriously, passwords are getting better."
I am at a loss to explain how he can come to this conclusion when every single one of the 34,000 passwords he analyzed were stolen through a phishing attack. What he should have said was: "This shows that a 1-character password (the shortest they harvested) is just as secure as a 32-character password (the longest they harvested)"
He also points out that if you're not going to do two-factor authentication, then don't worry about long passwords. If any data is important enough or vulnerable enough to require a strong and therefore annoying password policy, use two-factor authentication.

read more / 0 comments

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom