From Mary Brown | October 21st, 2009
Many of us who work in information security have long bemoaned the shortcomings of using passwords as an authentication factor. One of the first alternatives to passwords in the form of two factor authentication was the token that would generate a one time password solution. An interesting alternative to this token solution is an ‘out of band’ solution that involves pushing a password to the mobile phone of the user.
Are any of you currently using these or any of the out of band solutions to authenticate users? Share your experiences/thoughts by posting a comment.
For more information read this white paper. Also, check out phonefactor.com and authentify.com.
Tags: authentication, information security, mobile phone, out of band, password, passwords, two factor authentication
Delicious // Digg This! // Technorati
Subscribe to comments via RSS 2.0 
From Rodney Visser | September 15th, 2009
Recently, another Windows os vulnerability has surfaced pointed at ports 139 and 445. It was initially released as a denial of service attack, but could also allow system level remote code execution. The strange thing about this particular exploit for me, is that this issue was fixed on Windows 7 build 7130, but as of today there is still no fix for Vista or Server 2008.
In the time it is taking them to address this issue there is already working exploit code in the ever popular MetaSploit framework and as an added bonus it has the ability to do reverse HTTP tunneling on port 80. This means that you could hit an exploited system and the firewall will literally mean nothing.
Tags: information security, network
Delicious // Digg This! // Technorati
Subscribe to comments via RSS 2.0
From Mary Brown | August 20th, 2009
Brad Stone, a reporter with the New York Times, reports on the indictment of what is believed to be the largest single incident of credit card information theft. I say believed to be, because it appears that we really do not know what is happening out on the Internet until it is publicized. How many of you have received a new credit card in the mail without adequate explanation as to what happened to the old one that created the need for a replacement in the first place? READ ON
Tags: credit card information theft, credit card theft, identity theft, information security
Delicious // Digg This! // Technorati
Subscribe to comments via RSS 2.0
From Rodney Visser | August 18th, 2009
When adding a traditional hardware based firewall to a network, major network based surgery is needed a majority of the time. The potential for configuration problems with both internal clients and the router/proxy are increased. There is also overhead that goes into processing each packet or session for the firewall, making it difficult to come to an informed decision.
When looking though the eyes of an attacker, only minimal investigation and enumeration is needed to identify a device that is acting as a firewall. Its rule-set or “protection” features can be realized. READ ON
Tags: firewalls, hardware, information security, network, transparent firewalls
Delicious // Digg This! // Technorati
Subscribe to comments via RSS 2.0
From Mary Brown | August 17th, 2009
Kim Zetter, at wired.com, reports on the ongoing tension between RSA and an information security blogger, Scott Jarkoff, who reported on what appears to be a flaw in the security architecture in the Web site of an RSA client. The tension has generated a renewed discussion on how vulnerabilities should be communicated when they are discovered.
Why do you think that RSA is pushing so hard, when doing so has created more chatter and made more people aware of this vulnerability as a result of their actions?
Tags: information security, RSA, Wired, wired.com
Delicious // Digg This! // Technorati
Subscribe to comments via RSS 2.0
From Mary Brown | July 23rd, 2009
A 2005 paper on a distributed security framework by Susan Brenner and Leo Clarke has recently been getting a lot of attention on the blogs. Both Bruce Schneier and Michael Kassner have recently commented on the efficacy of this approach to information security that professes to take a more proactive approach rather than the typical reactive stance that is too common in the security industry. Included in this paper is discussion about international cybercrime treaties, the use of police recruiting of civilians in fighting cybercrime. The authors also suggest the idea that it would be illegal to gain access to the Internet except through a licensed ISP.
What do you think about this proposed framework for information security? Why do you think it has only now gained the degree of attention that it seems to be recently experiencing? Share your thoughts.
Check out the paper and link to Kassner blog and to Schneier blog here.
Tags: blogs, cybercrime, cybercrime treaties, distributed security framework, information security, Internet, ISP, paper
Delicious // Digg This! // Technorati
Subscribe to comments via RSS 2.0
