a step further, I'd suggest using one of
the many NAP-like platforms currently out there, doing some sensible
application-layer firewalling, or waiting until w2k8 came out and using
NAP itself. You've already got NAQC, since in your hypothetical scenario
you've already bought some ISA
re@lists.grok.org.uk, [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
CQ,
maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.
let say that we have a wireless netwo
CQ,
maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.
let say that we have a wireless network which is guarded by "security
in depth" network administrators. the first thing they will do is to
secure t
This wasn't a flame... It was a simple observation.
Having read your reply I also see that you are trying
to reinvent the wheel... when you talk about
crisis management and other planning. Risk analysis,
business continuity and disaster recovery planning,
well prepared incident response procedures
I guess there's some logic in spreading FUD about security in depth
not working. It might be a nice way to scare potential customers
who don't know much about security into whatever services
Gnucitizen team sells. However, these kind of tricks
simply won't work with any seasoned security professio
ok, I am not questioning whether it is needed or not... anyway,
instead of mailing a huge chunk of text again and clogging everyones
email account, I decided to post my thoughts on the blog where they
should be anyway, here is the link:
http://www.gnucitizen.org/blog/clear
On 10/12/07, Thor (Hamm
CIL:
> Thor, with no disrespect but you are wrong. Security in depth does not
> work and I am not planning to support my argument in any way. This is
> just my personal humble opinion. I've seen only failure of the
> principles you mentioned. Security in depth works only in a perfect
> world. The
Defence in depth is in question? After more than 20 years in compsec,
the fallacy of the argument that defence in depth is dead is ironic.
D.I.D. means that if defence A fails, B comes in. If B fails C comes in
then D. etc. Though pdp is a very inventive youngster, it takes a few
grey hairs to mast
My employer does this, but I think its easier to fool users, say we craft a
website say which again asks for username/password & most users will blindly
give away their credentials thinking it as a new session..
On 10/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Not to step in to the mi
Security in depth is a tactic, not a process or definition. And it works
for what it's designed to, which is the same thing most security solutions
are designed to. That is, they raise the bar of entry. Ideally, it makes
it hard to find the one-kink in the armor to bring it all down and makes th
pdp (architect) wrote:
> Thor, with no disrespect but you are wrong. Security in depth does not
> work and I am not planning to support my argument in any way. This is
> just my personal humble opinion. I've seen only failure of the
> principles you mentioned. Security in depth works only in a perf
"..I am not planning to support my argument in any way.."
That's a shame.
If you can prove your hypothesis, it lends credibility to your claims.
A refusal to do so only weakens your position.
As others have pointed out, your attack only works if security in depth has
been blatantly, intentionally
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SHUT UP VLADIS
On Thu, 11 Oct 2007 14:54:52 -0400 [EMAIL PROTECTED] wrote:
>On Wed, 10 Oct 2007 14:05:28 EDT, [EMAIL PROTECTED]
>said:
>
>> SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR
>BLOG
>> GET OFF THIS LIST THIS IS FOR SERIOUS SEC
:[EMAIL PROTECTED]
Sent: Thursday, October 11, 2007 8:28 AM
To: pdp (architect); Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Not to step in to the middle of this, but I once worked for an employer
On Wed, 10 Oct 2007 14:05:28 EDT, [EMAIL PROTECTED] said:
> SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR BLOG
> GET OFF THIS LIST THIS IS FOR SERIOUS SECURITY MATTERS ONLY
You seem a tad confused regarding the use of the "reply" button, since:
> On Wed, 10 Oct 2007 07:14:32 -0400
gboyce, cheers... nice example! although I had something else in mind.
maybe I shouldn't have used the term "security in depth" since your
version differs a bit from mine. I guess different semantics. but yes,
i agree that systems, processes, data, etc needs to be separated and
blended into a balan
Well, what is your definition of "Security in Depth"?
On Thu, 11 Oct 2007, pdp (architect) wrote:
> gboyce, cheers... nice example! although I had something else in mind.
> maybe I shouldn't have used the term "security in depth" since your
> version differs a bit from mine. I guess different sem
> Not to step in to the middle of this, but I once worked for an employer
with what I
> considered the best way of stopping attacks cold: a proxy server that
prompted you for your
> credentials when you went to an external web site and gp settings that
disabled the ability
> to save your usernam
ff
>
>Sent from my BlackBerry wireless handheld.
>
>-Original Message-
>From: "pdp (architect)" <[EMAIL PROTECTED]>
>
>Date: Thu, 11 Oct 2007 01:17:16
>To:"Thor (Hammer of God)" <[EMAIL PROTECTED]>
>Cc:full-disclosure@lists.grok.
On Thu, 11 Oct 2007, pdp (architect) wrote:
> Thor, with no disrespect but you are wrong. Security in depth does not
> work and I am not planning to support my argument in any way. This is
> just my personal humble opinion. I've seen only failure of the
> principles you mentioned. Security in dept
AIL PROTECTED]>
Cc:full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble o
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
world. The truth is that yo
It is important to note that you can block this though a setting in the
Terminal Sevices Configuration admin tool. There is a setting to not allow
initial programs to be launch or to always launch a specific program. This
will always override any program specified by the client. You can also
config
Security in depth is alive and well, thank you. In fact, it is security
in depth that allows administrators to prevent this type of "attack" (if
we can actually make the stretch to call it that).
However, for the record, this is not an "attack." You might as well
just email the target and ask fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR BLOG
GET OFF THIS LIST THIS IS FOR SERIOUS SECURITY MATTERS ONLY
On Wed, 10 Oct 2007 07:14:32 -0400 "pdp (architect)"
<[EMAIL PROTECTED]> wrote:
>http://www.gnucitizen.org/blog/remote-deskt
http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks
Security in depth does not exist! No matter what you do, dedicated
attackers will always be able to penetrate your network. Seriously!
Information security is mostly about risk assessment and crisis
management.
When it comes t
26 matches
Mail list logo
