> When the merchants enjoy lower
> liabilities as a result of fraud
> reduction things become a little
> different
That's what Visa and Mastercard said about Secure Electronic Transactions (SET)
as a replacement for SSL and merchant risk management business expertise.
Oddly, neither the banks no
On Sat, 19 Mar 2005 [EMAIL PROTECTED] wrote:
the way i see it, some people bought personal info from choicepoint. if
that info contained hashed SSNs it would be just as valuable to a
LEGITIMATE user for verification purposes.
Explain why. Remember that I'm sitting down at the bank applying for a
On Sat, 19 Mar 2005 [EMAIL PROTECTED] wrote:
some companies have a legitimate need to ask that question. they should
be subject to more stringent checks than our recent bad guys. FTMP,
however, that question is of very little use... if you want to know the
SSN of "john smith", born 1976-07-04 yo
I don't see any disclosure in this thread but what the heck.
[EMAIL PROTECTED] wrote:
On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:
the way i see it, some people bought personal info from choicepoint. if
that info contained hashed SSNs it would be just as valuable to a
LEGITIMATE user for
On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:
> the way i see it, some people bought personal info from choicepoint. if
> that info contained hashed SSNs it would be just as valuable to a
> LEGITIMATE user for verification purposes.
Explain why. Remember that I'm sitting down at the ban
On Sat, 19 Mar 2005, Jason Coombs wrote:
i've been referring to a social engineering attack where people SIGNED
UP FOR ACCOUNTS and got the info because they were paying customers and
they asked for it!
The whole choicepoint behind the business model is to sell the SSNs to
customers... If you ch
On Sat, 19 Mar 2005 [EMAIL PROTECTED] wrote:
Remember that the company probably needs an *invertible* function as
they need to be able to access the original value, so the trick of "hash
the SSN and see if you get the same to compare for equality" isn't
usable. You can use a one-way function if
On Sat, 19 Mar 2005, Jason Coombs wrote:
Before I make off with your hard drive, I'm going to try very hard to
add some known SSNs to the database using your own hashing machine
(which presumably I won't be able to own outright, such that I could
discover your salting algorithm directly).
==
Hello,
Let me chime in on the topic.
Visual Captchas are useless
1., No matter how good they are, people will still solve
them (you know the usual spammer trick: set up a free pr0n
website and require visitors to solve the proxied captchas
to access those adult pictures).
2., Visual CAPTCHAS al
On Sat, 19 Mar 2005 18:18:46 EST, Atom Smasher said:
> some companies have a legitimate need to ask that question. they should be
> subject to more stringent checks than our recent bad guys. FTMP, however,
> that question is of very little use... if you want to know the SSN of
> "john smith", b
On Sat, 19 Mar 2005 23:02:36 GMT, Jason Coombs said:
> > reverse hashing
>
> By reverse hashing you mean defeating the protection by forward hashing all
> possible SSNs, presumably.
No, that's me writing in a hurry and failing to make clear that if you're
using an invertible function, you'll hav
> i've been referring to a social
> engineering attack where people
> SIGNED UP FOR ACCOUNTS and got
> the info because they were paying
> customers and they asked for it!
The whole choicepoint behind the business model is to sell the SSNs to
customers... If you choosepoint to defeat your own bus
> reverse hashing
By reverse hashing you mean defeating the protection by forward hashing all
possible SSNs, presumably.
-Original Message-
From: [EMAIL PROTECTED]
Date: Sat, 19 Mar 2005 17:38:09
To:Atom Smasher <[EMAIL PROTECTED]>
Cc:Jason Coombs <[EMAIL PROTECTED]>, Full-Disclos
On Sat, 19 Mar 2005 13:34:53 EST, Atom Smasher said:
> tell ya what... here's my SSN hashed with a salt:
> =09e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
>
> as soon as you recover my SSN, just let me know.
Tell you what - give me the salt and the hash algorithm, and it wil
Atom Smasher wrote:
> tell ya what... here's my SSN
> hashed with a salt:
>
> e36c98b34d5ba979fb0bf0c64dc7b3
> a66c9ce841437d6460390e63808
> 10f1440
>
> as soon as you recover my SSN,
> just let me know.
A fine challenge. Give us access to your hashing machine, or at least hash the
following SSN
Hullo,
I realize this is a bit off-topic, but I thought that people here
would likely know better than most--does anyone have recommendations
for places that an undergrad CS/Math major could spend the summer
doing security-related work? I've looked at Mitre's summer program
[http://www.mitre.org/e
I am conducting a pen-test on a web app that is
vulnerable to SQL injection. The backend database is MS access.
i have managed to get a list of table names using
something like the following: select Name, from MSysObjects
where Type=1
and Name not like "MSys*";However, I am strugg
On Sat, 19 Mar 2005, Vincent van Scherpenseel wrote:
> On Saturday 19 March 2005 13:02, Kurt Seifried wrote:
> > > Don't forget that it's bad for the company's image to have confidential
> > > customer data stolen. As soon as the press catches on it's bad for
> > > business.
> > > So, companies *d
On Sat, 19 Mar 2005, Kurt Seifried wrote:
> > Don't forget that it's bad for the company's image to have confidential
> > customer data stolen. As soon as the press catches on it's bad for
> > business.
> > So, companies *do* have a drive to secure your private data.
>
> Uhhh no. See consumers suc
On Sat, 19 Mar 2005, Kurt Seifried wrote:
Hashing SSN numbers and CC numbers doesn't matter unless you use a
really huge salt that is stored seperately. Why? Not enough variation. A
credit card number for example:
4520 1234 1234 1234
except the first 4 digits (4520) are the bank code, so for exa
tell ya what... here's my SSN hashed with a salt:
e36c98b34d5ba979fb0bf0c64dc7b3a66c9ce841437d6460390e6380810f1440
as soon as you recover my SSN, just let me know.
btw, if an information clearing house discloses my phone number, DOB,
address, name, or ANYTHING about me (even to confirm whe
Hey Folks !!
Is there anyone in this list who has worked on creation of complex
CAPTCHAs??
A CAPTCHA is a program which can distinguish between computer and humans.
These are mostly found on webpages like YAHOO, HOTMAIL, ... INTERNET POLLs
etc. CAPTCHAs are mostly used to defeat internet bots w
On Fri, 18 Mar 2005, Daniel Sichel wrote:
> So umm 4 registry changes, 2 customized ACLS, and a customized log in
> policy aren't tweeks. Ooops, my bad, the emperor IS wearing clothes!
Don't forget "turning off unneeded services" and the kitchen-sink
"properly protecting Web servers and the compu
I don't see that issue in winxp sp2(fully patched).
nor winxp. But at times i had problem browsing a
(completely) new website.
But i've faced an issue with my ISP. I don't know what
those guys at my ips has configured to... (O; their
transperent proxy can't connect to a fresh web setrver
nor resol
Ich werde ab 19.03.2005 nicht im Büro sein. Ich kehre zurück am 03.04.2005.
In dringenden Faellen koennen Sie mich unter
+49 151 11 70 71 64 erreichen.
.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-chart
On Saturday 19 March 2005 13:02, Kurt Seifried wrote:
> > Don't forget that it's bad for the company's image to have confidential
> > customer data stolen. As soon as the press catches on it's bad for
> > business.
> > So, companies *do* have a drive to secure your private data.
>
> Uhhh no. See co
Don't forget that it's bad for the company's image to have confidential
customer data stolen. As soon as the press catches on it's bad for
business.
So, companies *do* have a drive to secure your private data.
Uhhh no. See consumers such as yourself don't actually purchase services
from choicepoi
On Saturday 19 March 2005 09:36, Kurt Seifried wrote:
> The sad part is there is NO (Zero, Nada, Zilch) incentive for companies to
> treat this data securely. Information for a hundred thousand people is
> stolen. So what? The company is not criminally liable in any way (I haven't
> heard of any l
Hashing SSN numbers and CC numbers doesn't matter unless you use a really
huge salt that is stored seperately. Why? Not enough variation. A credit
card number for example:
4520 1234 1234 1234
except the first 4 digits (4520) are the bank code, so for example in canada
if you guess 4520 as the f
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200503-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - -
30 matches
Mail list logo
