ty in this discussion.
lyal
_
From: Christian Sciberras [mailto:uuf6...@gmail.com]
Sent: Tuesday, 27 April 2010 11:33 PM
To: Lyal Collins
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Has everyone on this list read t
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
AV is about 4 requirements out of over 230 requirements, covering secure
coding/development, patching, network security, hardening systems, least
privilege, robust authenticaiton, s
"Lastly, that is where you are wrong, there is no "base starting point"
companies don't give a shit about proper security measures, they get
PCI-certified and all security ends there.
That is the freaken problem."
Well, when this occurs, they are not compliant = Epic FAIL = wasted dollars.
i.e. t
I'd like to jump into this exchange of views for a moment.
As a QSA, I know PCI DSS is not perfect.
Its certainly better that ISO 27001/2 imho, where you decide what you want
assessed against criteria you define. HIPAA, SOC and GLBA et al are
virtually non-existent apply in my country, so 27001
I'm not a crypto guru, but it seems to me that this issue can be
crypto-anlayses somewhat like the speedups used to find hash collisions (if
I understand them at all).
The goal in both cases is to find a hash that 'collides' with a known hash
(password hash, or CC number of 6 BIN digits, 9,999,999
Follow the links at https://www.pcisecuritystandards.org/index.htm
Note - AVS applies to the company, not an individual.
QSA certification applies to both the company and the individual.
lyalc
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of shadow
flo
I'd add to this that anyone who buys security consulting/pen test services
et al solely on the basis of web site content is unlikely to get any
worthwhile outcomes for their specific needs.
No effective manager in any company/government I've seen is going to refer
to a web site alone, or to bothe
Over 8 years old (mid 1997/8) -
http://www.dotsec.com/onBank.html?topic=302544
Lyal
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Debasis
Mohanty
Sent: Tuesday, 28 November 2006 6:12 PM
To: 'Gadi Evron'; full-disclosure@lists.grok.org.uk
Subject: Re: [F
If there's malware on the machine, and there is a connected USB token, then
authentication is only as good as the password - malware can probe the
connected token as often as desired.
And this data stream to the authentication host is still subject to a
variety of MITM attacks.
In the event of an
Some comment inline...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, 20 August 2006 4:45 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Tempest today
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Title: Message
Do you
want data recovery?
Just
forget the password to a certificate/private key, and the company has
lost access to any comany records 'protected' by S/MIME, generally in
conventional S/MIME setups. And forget virus/spam scanning
too.
Lyal
-Original Message--
-ADVISORY- ~ x Thu Mar 16 14:03:31 EST 2006 x ~ Buffer Overflow in VMware
---
I. Description
---
It is possible to make VMware crash or run arbitrary code by the use of
malformed input.
: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
On Monday 13 March 2006 15:17, Lyal Collins wrote:
> Yup, that's right: All PKI authentication is only as good as the
> passwords protecting private keys where such passwords exi
sword and or private key.
Lyal
-Original Message-
From: Tim [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 14 March 2006 10:02 AM
To: Lyal Collins
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
> Although something else may have been i
Although something else may have been intended by using the phrase
"password-authenticated key agreement", lets not forget that's all PKI is -
key agreement based on verifying a password.
At the server end, the site admins password is verified e.g. for SSL servers
At the client, if you're lucky, th
Section 10.2 requires sufficient logging to allow a sequence of events to be
recreated from the log data, including access to audit logs. I suspect the
rationale is to be able to detect attempted alterations of logs.
If this can't be done, then the audit log has questionable value as
evidence.
In
Title: Message
There
are 3 obvious problems with this I think, although there are some good
ideas embedded in this model.
Firstly, the user ID isn't used anywhere, although its
captured.
Second, this is still subject to a mitm attack.
Thirdly, any message or session data is not protected as c
And USB keys/thumb drives are FAT, usually.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Technica
Forensis
Sent: Tuesday, 6 December 2005 7:07 AM
To: c0ntex
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] SANS Stuff
what are flopp
+1100 2/12/05, Lyal Collins wrote:
>In 1996, this virtual keypad concept was broken by taking 10x10 pixel
>images under the cursor click, showing the number/letters used in that
>password.
>
>Virtual keypads are just a minor change of tactics, not a long term
>resolution to t
Typo - I meant 1997 NOT 1996.
-Original Message-
From: Lyal Collins [mailto:[EMAIL PROTECTED]
Sent: Friday, 2 December 2005 9:42 AM
To: 'deepquest'; '[EMAIL PROTECTED]'
Cc: 'Full-Disclosure'
Subject: RE: [Full-disclosure] Most common keystroke loggers?
d in this supposedly more secure
framework since 'the authenticaiton is infallible' (marketing speak)?
Lyal
-Original Message-
From: deepquest [mailto:[EMAIL PROTECTED]
Sent: Friday, 2 December 2005 9:44 AM
To: Lyal Collins
Cc: [EMAIL PROTECTED]; 'Full-Disclosure'
Su
In 1996, this virtual keypad concept was broken by taking 10x10 pixel images
under the cursor click, showing the number/letters used in that password.
Virtual keypads are just a minor change of tactics, not a long term
resolution to this risk, imho.
Lyal
-Original Message-
From: [EMAIL
The reality has been imho, since the mid-90s that the authentication issues
mentioned below (capture and misuse between entry device and processing
device) are generic attack models, and can best be addressed by placing
authentication and entry functions in the same
tamper-proof/tamper-evident/resi
Title: Message
Like
running to a bank/post office and getting a
certificate?
Certs
are just a password verification tool, where user password verification occurs
locally intead of at the server. This is NOT two-factor byt any
definition, just a password verificaiton displacement tool.
At
If you get a packet capture, run it through an IDS platform with current
alert signatures, and see if it alerts on any traffic.
Or analyse outbound traffic destination from the machine - if traffic exits,
or trys to exit the company boundaries without valid reason, then it's not
good practice and s
Ianal, but I think jurisdictions may have issues with receiving and
using/profiting from stolen 'property', regardless of whether that property
is an information/intangible asset or a tangible asset.
In practical terms the information is 'published' as in available to a broad
range of readers.
Ava
26 matches
Mail list logo