Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Transitive Trust: 40 million credit cards hack'd (Kevin)
2. RE: Broken Analogies (was: Transitive Trust) (Ben Nagy)
--__--__--
Message: 1
Date: Mon, 20 Jun 2005 18:35:09 -0500
From: Kevin <kkadow@gmail.com>
Reply-To: Kevin <kkadow@gmail.com>
To: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: Firewal Wizards <firewall-wizards@honor.icsalabs.com>
On 6/20/05, Paul D. Robertson <paul@compuwar.net> wrote:
On Mon, 20 Jun 2005, Behm, Jeffrey L. wrote:
> > True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
> > point, it can be effective. You don't gotta outrun the bear, just
> > the guy next to you.
>
> That assumes (1) a single bear OR (2) that you can outrun the bear in the
> time it takes it to disable the other target.
>
> Autonomous malcode changes that equation, as does semi-random targeting.
OTOH, attacking tokens and other OTP schemes requires a whole different
toolkit (a "better bear"), while the current crop of keyloggers and phishin=
g is
working fine as "store and forward" attacks where they can assume the
credentials they log will be valid for quite some time.
> Now, personally, I'm all for making most of the current crop of attacker
> tools outdated, not because I think it'll make us safe, but because it'll
> force attackers to keep up, and I'd rather they not be provided the
> option of being lazy if we all have to work too.=20
So long as there are plenty of easy targets which do NOT require a better
bear, the attackers will tend to go after the easy targets, and not bother =
to
write tools which can be effective against tokens and OTP and other
hardened targets.
The American black bear is capable of eating porcupines, but so long as
the supply of nuts and berries is plentiful, the bears leave them alone.
> But more importantly, two factor authentication starts to provide a
> really good base for accountability- and THAT is what we *need*.=20
Shhh!
Accountability may be the only real advantage that 2-factor has over
old-fashioned reusable passwords, but if the users get wind that the
real reason they are being issued tokens isn't to protect *them* but
rather to protect *us*, we will have a revolt on our hands :)
Take for example the SecurID tokens issued by E*Trade and AOL.
Does anybody really believe that E*Trade is giving their customers
"free" tokens to help protect the user from hackers, rather than to protect
E*Trade from users who say "I didn't make that losing trade, my account
must have been hacked, refund my losses!"?
It's all about audit trails and non-repudiation, if there is any advantage
to personal privacy, that's just an unintended side-effect.
Kevin Kadow
--__--__--
Message: 2
From: "Ben Nagy" <ben@iagu.net>
To: "'Eugene Kuznetsov'" <eugene@datapower.com>
Cc: "'Firewal Wizards'" <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Broken Analogies (was: Transitive Trust)
Date: Tue, 21 Jun 2005 15:09:05 +0200
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Eugene Kuznetsov
[...]
> There's an interesting thought here, one that really takes us
> into the realm
> of epidemiology or toxicology. Bears aside, what is the
> expected, normal
> rate of such incidents? Is it getting worse? Better? Risk factors?
> Correlation?
>
> Anyone know of any papers that try to think of computer
> security incidents
> like "[awful-disease] clusters"?
I was thinking of using something like this in a paper, but I concluded that
it doesn't really work out. It's very exciting when you look at the spread
of network worms - they make a S-shaped curve called a sigmoid, which comes
straight out of epidemiology. The trouble is that's about where the
usefulness stops. I don't mean this to be a put-down, because it certainly
is an interesting train of thought.
There are some important differences, especially when applied to things like
self-propagating malware like worms or user-propagated ones like viruses.
1. With diseases you stop becoming an infection vector (you die, or you get
better).
This would leave organisations with the option of doing nothing, which they
don't have.
2. With diseases you get really sick.
This one might take some explaining - 99% of computer viruses and worms
don't have any real effect on the host that is infected, which is why
thousands of people still have Blaster and haven't really noticed. Sure they
swamp networks, and OK, maybe they make things crash sometimes, but that's
really not _all_ that bad.
People's mentality will never change while this is the case, because all of
the cures are worse than the diseases. Take any aggressive quarantine style
system and apply it enterprise-wide and people will start to bitch. They
will bitch even worse when there is a false positive because the perceived
usability cost is too high for them. When we start getting more malware that
trashes the host then I think all of these discussions might become more
useful.
I'm going to leave aside things like acquired immunity, re-infection, and
avoidance (people don't tend to kiss those suffering from cold sores).
Current worms may _spread_ like diseases, but that's pretty much where the
useful similarities end, in my opinion.
Oh, and targeted incidents are not like diseases at all - they probably are,
actually, more like bears. Or maybe weasels. I actually think you might be
better looking at it from an economic modelling approach with supply and
demand of exploits and risk / reward of targets. There's probably some game
theory in there too.
Anyway, enough ramble.
ben
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment