Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
A changing landscape
Rohyt Belani, 2005-09-07

In 2004, I came across an empirical study published by the CERT/CC that indicated a diminishing correlation between the number of vendor-issued vulnerabilities and the number of reported security incidents. In the years prior to 2002, the number of reported security breaches had always been proportional to the number of vendor-published vulnerabilities. That corollary made sense, since attacks and worms followed vulnerabilities. However, in 2003 and beyond this was no longer the case. The number of incidents rose dramatically as compared to the number of published vulnerabilities.

Comments Mode:
A changing landscape 2005-09-07
Anonymous (1 replies)
A simple way to help the unsuspecting end user is to offer links that create bookmarks to the site. This will eliminate the possibility that the user types in the wrong website after a successful first visit....

[ more ]  [ reply ]
Re: A changing landscape 2005-09-07
Anonymous (1 replies)
This isn't just about phishing - note the repeated mention of the keystroke loggers. The user could be at the correct site (in fact it is preferred if they are) and as they type in their credentials, the logger harvests and sends them to the attacker. Bookmarking wont do anything in this case....

[ more ]  [ reply ]
Re: Re: A changing landscape 2005-09-22
Anonymous
Barclays have an interesting approach to keyloggers; as part of their authentication, you must enter two letters from a password, but do so using drop-down menus.

On one hand, this is pretty much security-by-obscurity, but on the other - for now, at least - it would be somewhat harder to 'keylog'...

[ more ]  [ reply ]
A changing landscape 2005-09-07
Anonymous
You speak at OWASP? I dont think so !...

[ more ]  [ reply ]
A changing landscape 2005-09-08
Anonymous
Yes, and then make sure that the bookmark doesn't "break" after a web site reorganization. I've had it happen to me, and have wasted valuable time trying to find, and bookmark, the new page....

[ more ]  [ reply ]
A changing landscape 2005-09-09
Griggs
IMO and in this case I think patching and employing good security practices will never be enough. With activities like online banking there's an up side and down side. The up side is convenience while the down side is the risk of having your account breached and looted. One of the best ways to av...

[ more ]  [ reply ]
A changing landscape 2005-09-09
Augusto P Barros
Improving authentication while you still have malicious code running on the client's computer is not the definitive solution. Malware will migrate from stealing credentials to hijacking sessions and altering data on the fly. ...

[ more ]  [ reply ]
changing our point of view 2005-09-12
Alexey Vesnin (1 replies)
Yes, end-user's ignorance is not an indulgention. Banks shud, but MUST NOT provide such a links about threats in Internet. Do you know the driving rules when you're going to another country on a car? Yes, you are, because of your safety at first. Is Internet something different? You must know - or a...

[ more ]  [ reply ]
Re: changing our point of view 2005-09-15
Anonymous (2 replies)
I agree except for the point about RSA SecurID. I have architected and integrated SecurID for about 10,000 people. I can tell you for a fact that it "is" too expensive. They are no better than MS (except MS provides better tech support). There are alternatives....

[ more ]  [ reply ]
Re: Re: changing our point of view 2005-09-20
Alexey Vesnin
Agreed. But there's one Russia-specific problem. People are too bored to even change their password at least once a month, and if you let 'em make their passwords - don't be amazed discovering passwords like "123", "aaa", "12345" and similar. It's useless to talk to them, to explain how bad it is. "...

[ more ]  [ reply ]
Re: Re: changing our point of view 2005-09-29
eMZe
Yes, it is expensive, if you use it only in ONE place. It (or any comparable product) is LIFE SAVING in systems where you have to manage hudreds of devices or use hundreds of logins on webs, shells, etc. Web banking: It can be forged, of course, since it relies on some browser data that can be catch...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus