Perry E. Metzger wrote:
Have a look, for example, at
http://www.americanexpress.com/
which encourages users to type in their credentials, in the clear,
into a form that came from lord knows where and sends the information
lord knows where. Spoof the site, and who would notice?
Every company
Amir Herzberg [EMAIL PROTECTED] writes:
Perry makes a lot of good points, but then gives a wrong example re
Amex site (see below). Amex is indeed one of the unprotected login
sites (see my `I-NFL Hall of Shame`,
http://AmirHerzberg.com/shame.html). However, Amex is one of the few
companies
Steven M. Bellovin wrote:
The bigger issue, though, is more subtle: keeping track of the keys
is non-trivial. These need to be backed up, too, and kept separate
from (but synchronized with) the tapes. Worse yet, they need to be
kept secure. That may mean storing the keys with a different
Ben Laurie [EMAIL PROTECTED] writes:
Perry E. Metzger wrote:
Have a look, for example, at http://www.americanexpress.com/
which encourages users to type in their credentials, in the clear,
into a form that came from lord knows where and sends the information
lord knows where. Spoof the site,
james hughes [EMAIL PROTECTED] writes:
There are large institution with 1000s of tape drives and 1,000,000
or more cartridges. Even simple solutions are huge to implement. This
is a non-trivial matter. The technical solutions are possible, there
are vendors out there that are already doing
Amir Herzberg wrote:
3. They did not actually spell out the problem in using SSL in the
homepage (like eTrade, for instance). But I think I know the reason
(they didn't confirm or deny). I think the reason is that they host
their site; in particlar, when I tried accessing it via https, I got
Perry wrote:
In case you think the answer is regulation, by the way, let me note
that most of the regulatory pressure I've seen on security policy
results in people finding extremely well documented ways to do exactly
what the regulators ask, to no actual effect. This is generally
because the
Ben Laurie [EMAIL PROTECTED] writes:
Anne Lynn Wheeler wrote:
Peter Gutmann wrote:
That cuts both ways though. Since so many systems *do* screw with
data (in
insignificant ways, e.g. stripping trailing blanks), anyone who does
massage
data in such a way that any trivial change will be
[EMAIL PROTECTED] writes:
One thing that irritates me is that most security audits (that verify
compliance with regulations) are done by accountants. No disrespect for
accountants here, they are smart people, but most of them lack the
security knowledge needed to really help with the
| Perry makes a lot of good points, but then gives a wrong example re Amex site
| (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL
| Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
| the few companies that actually responded seriously to my
Jerrold Leichter [EMAIL PROTECTED] writes:
If you look at their site now, they *claim* to have fixed it: The login box
has a little lock symbol on it. Click on that, and you get a pop-up window
discussing the security of the page. It says that although the page itself
isn't protected,
On Wed, Jun 08, 2005 at 01:33:45PM -0400, [EMAIL PROTECTED] wrote:
|
| Ken Buchanan wrote:
| There are a number of small companies making products that can encrypt
| data in a storage infrastructure, including tape backups (full disclosure:
| I work for one of those companies). The solutions
2) The cost in question is so small as to be unmeasurable.
Yes, because key management is easy or free.
Also, reliability of encrypted backups is problematic: CBC modes render
a single fault destructive to the entire dataset. Counter mode is
sufficiently new that it's not supported by
Protected or not, AmericanExpress.com has multiple web vulnerabilities -
I wouldn't log into it with a ten-foot pole :)
-Lance
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perry E. Metzger
Sent: Wednesday, June 08, 2005 12:16 PM
To: Jerrold Leichter
Ladies and Gentlemen,
I'd like to come up to speed on the state of the
art in de-identification (~=anonymization) of data
especially monitoring data (firewall/hids logs, say).
A little googling suggests that this is an academic
subspeciality as well as a word with many interpretations.
If
On Wednesday 08 June 2005 18:33, [EMAIL PROTECTED] wrote:
Ken Buchanan wrote:
Another area where I predict vendors will (should) offer built in
solutions is with database encryption. Allot of laws require need-to-know
based access control, and with DBA's being able to see all entries that is
| Oracle, for example, provides encryption functions, but the real problem
| is the key handling (how to make sure the DBA can't get the key, cannot
| call functions that decrypt the data, key not copied with the backup,
| etc.).
| There are several solutions for the key management, but the
In message [EMAIL PROTECTED], Perry E. Metzger writes:
Jerrold Leichter [EMAIL PROTECTED] writes:
If you look at their site now, they *claim* to have fixed it: The login box
has a little lock symbol on it. Click on that, and you get a pop-up window
discussing the security of the page. It
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of the page.
They're doing
In message [EMAIL PROTECTED], Perry E. Metzger writes:
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent
Ben Laurie writes:
Why is it bad for the page to be downloaded clear? What matters is the
destination is encrypted, surely?
Because the page you downloaded in the clear contains the https: URL
in the post method. How do you know that this is the right URL? If
you got the page in the clear, you
Dan Kaminsky [EMAIL PROTECTED] writes:
2) The cost in question is so small as to be unmeasurable.
Yes, because key management is easy or free.
In this case it is. As I've said, even having all your tapes for six
months at a time use the same key is better than putting the tapes in
the clear.
22 matches
Mail list logo