Security Basics
Re: Bank Of Montreal Online Security Oct 30 2012 11:55AM
Alexander Meesters (a meesters sansyl com) (2 replies)
Re: Bank Of Montreal Online Security Oct 30 2012 05:35PM
Davin Enigl (davinenigl comcast net) (1 replies)
RE: Bank Of Montreal Online Security Oct 31 2012 06:15PM
Scott Herbert (scott a herbert googlemail com) (1 replies)
RE: Bank Of Montreal Online Security Nov 01 2012 07:58AM
Globalart4u Enquiries (enquiries globalart4u com)
Re: Bank Of Montreal Online Security Oct 30 2012 03:04PM
Davin Enigl (davinenigl comcast net)


On 10/30/2012 04:55 AM, Alexander Meesters wrote:
> i dont think brute-force is the issue here, most likely a attack on such a system would be by sql-injection, once they have the credentials its easy enough to utilize rainbow tables in order to get a useable password.
>
> although its unlikely a bank would use a unsave hashing algorithm like md5 or sha1, the rainbow tables available today for those algorithms are up to 12 characters in length.
>
> IMHO they, and for that matter, everybody are far better off using pass-phrases, for example:"i do not like waffles", or "my 2 grand kids are awesome!"
> its both easy memorable and though to crack, and far exceeds any available rainbow table out there!

I worked for the last five years on the NSA/NIST SHA-3 hash project. I
assure you, if you do not double-salt your password hashed (even SHA-3)
--- then you are inviting rainbow pre-imaging.

Double salt, now! Corporate salt and individual user salt. Both. See how
to stop password cracking at: http://crackstation.net/ This is the
best site I've ever seen of this subject.

Also, hackers only have to be right once. They are not stupid. They do
not "brute-force" anything. They APT -- or variations there-of.
http://en.wikipedia.org/wiki/Advanced_persistent_threat

--Davin Enigl

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus