CQ,
maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.
let say that we have a wireless network which is guarded by security
in depth network administrators. the first thing they will do is to
secure
the laptops.
Geoff
Sent from my BlackBerry wireless handheld.
-Original Message-
From: pdp (architect) [EMAIL PROTECTED]
Date: Sun, 14 Oct 2007 21:59:19
To:C Q [EMAIL PROTECTED]
Cc:full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop
actually use them.
- James.
-Original Message-
From: pdp (architect) [EMAIL PROTECTED]
Date: Sun, 14 Oct 2007 21:59:19
To:C Q [EMAIL PROTECTED]
Cc:full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
CQ,
maybe
I guess there's some logic in spreading FUD about security in depth
not working. It might be a nice way to scare potential customers
who don't know much about security into whatever services
Gnucitizen team sells. However, these kind of tricks
simply won't work with any seasoned security
This wasn't a flame... It was a simple observation.
Having read your reply I also see that you are trying
to reinvent the wheel... when you talk about
crisis management and other planning. Risk analysis,
business continuity and disaster recovery planning,
well prepared incident response
Defence in depth is in question? After more than 20 years in compsec,
the fallacy of the argument that defence in depth is dead is ironic.
D.I.D. means that if defence A fails, B comes in. If B fails C comes in
then D. etc. Though pdp is a very inventive youngster, it takes a few
grey hairs to
CIL:
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
world. The
It is important to note that you can block this though a setting in the
Terminal Sevices Configuration admin tool. There is a setting to not allow
initial programs to be launch or to always launch a specific program. This
will always override any program specified by the client. You can also
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
world. The truth is that
, [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure
On Thu, 11 Oct 2007, pdp (architect) wrote:
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth
.
-Original Message-
From: pdp (architect) [EMAIL PROTECTED]
Date: Thu, 11 Oct 2007 01:17:16
To:Thor (Hammer of God) [EMAIL PROTECTED]
Cc:full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you
Not to step in to the middle of this, but I once worked for an employer
with what I
considered the best way of stopping attacks cold: a proxy server that
prompted you for your
credentials when you went to an external web site and gp settings that
disabled the ability
to save your
Well, what is your definition of Security in Depth?
On Thu, 11 Oct 2007, pdp (architect) wrote:
gboyce, cheers... nice example! although I had something else in mind.
maybe I shouldn't have used the term security in depth since your
version differs a bit from mine. I guess different
On Wed, 10 Oct 2007 14:05:28 EDT, [EMAIL PROTECTED] said:
SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR BLOG
GET OFF THIS LIST THIS IS FOR SERIOUS SECURITY MATTERS ONLY
You seem a tad confused regarding the use of the reply button, since:
On Wed, 10 Oct 2007 07:14:32 -0400 pdp
gboyce, cheers... nice example! although I had something else in mind.
maybe I shouldn't have used the term security in depth since your
version differs a bit from mine. I guess different semantics. but yes,
i agree that systems, processes, data, etc needs to be separated and
blended into a
:[EMAIL PROTECTED]
Sent: Thursday, October 11, 2007 8:28 AM
To: pdp (architect); Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Not to step in to the middle of this, but I once worked for an employer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SHUT UP VLADIS
On Thu, 11 Oct 2007 14:54:52 -0400 [EMAIL PROTECTED] wrote:
On Wed, 10 Oct 2007 14:05:28 EDT, [EMAIL PROTECTED]
said:
SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR
BLOG
GET OFF THIS LIST THIS IS FOR SERIOUS SECURITY
..I am not planning to support my argument in any way..
That's a shame.
If you can prove your hypothesis, it lends credibility to your claims.
A refusal to do so only weakens your position.
As others have pointed out, your attack only works if security in depth has
been blatantly, intentionally
pdp (architect) wrote:
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
Security in depth is a tactic, not a process or definition. And it works
for what it's designed to, which is the same thing most security solutions
are designed to. That is, they raise the bar of entry. Ideally, it makes
it hard to find the one-kink in the armor to bring it all down and makes
My employer does this, but I think its easier to fool users, say we craft a
website say which again asks for username/password most users will blindly
give away their credentials thinking it as a new session..
On 10/11/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Not to step in to the middle
http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks
Security in depth does not exist! No matter what you do, dedicated
attackers will always be able to penetrate your network. Seriously!
Information security is mostly about risk assessment and crisis
management.
When it comes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR BLOG
GET OFF THIS LIST THIS IS FOR SERIOUS SECURITY MATTERS ONLY
On Wed, 10 Oct 2007 07:14:32 -0400 pdp (architect)
[EMAIL PROTECTED] wrote:
Security in depth is alive and well, thank you. In fact, it is security
in depth that allows administrators to prevent this type of attack (if
we can actually make the stretch to call it that).
However, for the record, this is not an attack. You might as well
just email the target and ask for
25 matches
Mail list logo
