Skip to main content

The WiKID Blog

Viewing posts tagged Authentication Attacks

More Marketing Service firms in the news

Dark Reading is reporting that Best Buy has suffered a second loss of customer data - e-mail addresses - through another vendor (not Epsilon).  

An Analysis of the Inevitable Analyses of the Gawker Password Breach

Here we go again.  Another attack results in a password file being posted on the Internet.  Queue the analysis of the password file.  State how users always choose the simplest passwords and cannot be trusted with their own security choices.  Of course, this is a great time for WiKID to note that two-factor authentication solves this problem. 

Traditional two-factor authentication is dead.

At Bsides Atlanta last week, Eric Smith (@infosecmafia) and Dave Kennedy (@dave_rel1k) demonstrated a real-time attack against a Juniper SSL-VPN that by-passes the authentication method used including time-bound one-time passcodes.  (Dave's post on "Traditional Penetration Testing is DEAD" on their BSidesAtlanta talk inspired my title. ;)

This type of attack against SSL and DNS has been predicted for some time, taking advantage of user's willingness to accept any SSL certificate.  Kudos to Eric and Dave for showing how this type of attack combined with a strategically aimed penetration test can really wreak havoc on an enterprise.

A world without static passwords

I wanted to quickly clarify my brief twitter rant about SMS authentication.  This was all started by Chris Wysopal's tweet about Zeus's new mobile MiTM attacks and that "phones are not secure enough for 2 factor".  Zeus is now targeting the text messages that banks are using for authenticating transactions.

Javelin Strategy on Business Banking

Read this post on "Business Bank Accounts: The missing features that no one is talking about" for a great summary of the missing features that online banking needs to provide a secure solution for their customers, including one-time passwords.  I find this to be a little dis-heartening as I believe that online banking needs for more than the features on this list. We have often gone on about mutual https authentication and transaction authentication, but it turns out banks are a long way from providing these "advanced features".   Perhaps I should be more positive: Think how easy it should be for a bank to increase their security.

Recent Posts







RSS / Atom