CQ,
maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.
let say that we have a wireless network which is guarded by "security
in depth" network administrators. the first thing they will do is to
secure t
ok, I am not questioning whether it is needed or not... anyway,
instead of mailing a huge chunk of text again and clogging everyones
email account, I decided to post my thoughts on the blog where they
should be anyway, here is the link:
http://www.gnucitizen.org/blog/clear
On 10/12/07, Thor (Hamm
:[EMAIL PROTECTED]
Sent: Thursday, October 11, 2007 8:28 AM
To: pdp (architect); Thor (Hammer of God)
Cc: [EMAIL PROTECTED]; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Not to step in to the middle of this, but I once worked for an employer with
CIL:
> Thor, with no disrespect but you are wrong. Security in depth does not
> work and I am not planning to support my argument in any way. This is
> just my personal humble opinion. I've seen only failure of the
> principles you mentioned. Security in depth works only in a perfect
> world. The
Defence in depth is in question? After more than 20 years in compsec,
the fallacy of the argument that defence in depth is dead is ironic.
D.I.D. means that if defence A fails, B comes in. If B fails C comes in
then D. etc. Though pdp is a very inventive youngster, it takes a few
grey hairs to mast
pdp (architect) wrote:
> Thor, with no disrespect but you are wrong. Security in depth does not
> work and I am not planning to support my argument in any way. This is
> just my personal humble opinion. I've seen only failure of the
> principles you mentioned. Security in depth works only in a perf
age-
From: pdp (architect) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 10, 2007 5:17 PM
To: Thor (Hammer of God)
Cc: [EMAIL PROTECTED]; bugtraq@securityfocus.com
Subject: Re: Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you are wrong. Security in depth does not
work an
in any way,
> degrade the value of security in depth. In fact, it is a perfect
> example *for* security in depth in that regard: if this "attack"
> succeeds against anyone, it is not because security in depth does not
> exist, it is because security in depth was not prac
Steve,
try to email someone from your company a batch file. i am sure that
that will fail, mainly because you realize that it is a security risk.
right? now try to email a .rdp or .ica file. it works 99% of all the
time.
second, please read the article. :) no offense, but you are completely
missi
ED]>
Cc:[EMAIL PROTECTED], bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble o
> Not to step in to the middle of this, but I once worked for an employer
with what I
> considered the best way of stopping attacks cold: a proxy server that
prompted you for your
> credentials when you went to an external web site and gp settings that
disabled the ability
> to save your usernam
gboyce, cheers... nice example! although I had something else in mind.
maybe I shouldn't have used the term "security in depth" since your
version differs a bit from mine. I guess different semantics. but yes,
i agree that systems, processes, data, etc needs to be separated and
blended into a balan
On Thu, 11 Oct 2007, pdp (architect) wrote:
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth work
mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 10, 2007 4:11 PM
> To: pdp (architect); [EMAIL PROTECTED];
> bugtraq@securityfocus.com
> Subject: RE: Remote Desktop Command Fixation Attacks
>
> Security in depth is alive and well, thank you. In fact, it is
> secu
anyone, it is not because security in depth does not
exist, it is because security in depth was not practiced.
t
-Original Message-
From: pdp (architect) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 10, 2007 4:15 AM
To: [EMAIL PROTECTED]; bugtraq@securityfocus.com
Subject: Rem
pdp (architect) wrote:
The attack is rather simple. All the bad guys have to do is to compose
a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX)
file and send it to the victim. The victim is persuaded to open the
file by double clicking on it. When the connection is established,
http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks
Security in depth does not exist! No matter what you do, dedicated
attackers will always be able to penetrate your network. Seriously!
Information security is mostly about risk assessment and crisis
management.
When it comes
17 matches
Mail list logo
