Comments for SecMusings

Comment on Conficker “doomsday” passes without incident by andy

andy — Mon, 20 Jul 2009 01:53:01 +0000

Yes, but this is July, and the post was from April…

Comment on Conficker “doomsday” passes without incident by Vinoth

Vinoth — Sun, 19 Jul 2009 15:16:17 +0000

Actually NMAP have a feature to detect conficker infected PC

Comment on Automated Lockouts: Just Say No! by tom

tom — Mon, 25 Aug 2008 13:24:06 +0000

er – that should have been COMPLIANCE (not APPLIANCE)

Comment on Automated Lockouts: Just Say No! by tom

tom — Mon, 25 Aug 2008 13:22:55 +0000

But most managers implementing security policies have not the slightest interest in making their systems “secure” whatever that might mean in their environment.

Their main concern is to earn brownie points by reporting to their managers that they have achieved whatever level of appliance is deemed necessary.

– Security is not an add-on

Comment on Happy Independence Day by yathrib

yathrib — Fri, 11 Jul 2008 14:58:12 +0000

Here in Brooklyn there seemed to be a constant NYPD presence in the streets which resulted in very few (illegal) fireworks display. Of course, that’s always the part I remember from when I was a kid!

Looks like we’ll be checking out the “approved” displays at the local minor league stadiums in the coming weeks.

Comment on Unconventional Wisdom by andy

andy — Mon, 30 Jun 2008 14:08:15 +0000

I missed that one. I’d love to hear more about it.

Comment on Unconventional Wisdom by yathrib

yathrib — Sun, 29 Jun 2008 10:57:18 +0000

Oh yes, I would love to know where many of these “sounds like security, but it’s not” policies come from.

Auditors often suggest policies which engineers should know better than to accept.

I don’t know if you recall the furor a few years ago about “MarketScore” (now called comScore) amongst .edus, but that was a good example of auditor-driven policies (firewalling off MarketScore’s servers) which weren’t the best solution.

Comment on Automated Lockouts: Just Say No! by yathrib

yathrib — Sun, 29 Jun 2008 10:52:06 +0000

Funny, we cover this very point in an introductory security class I teach. Most of the students in that class picked up that 3-strike lockouts just gave the attacker a trivial DoS capability.

Back-off timers seem to be a nice solution: a human interactively logging in will realize they’re making a mistake if after three tries it takes them a minute to get another prompt.

Comment on Automated Lockouts: Just Say No! by Steve Ruegnitz

Steve Ruegnitz — Fri, 20 Jun 2008 20:14:24 +0000

Andy

Sad but true that at this point it has gone beyond conventional wisdom to lock out after three attempts, it has joined the ranks of generic audit checklists. This will make well meaning, but not well skilled audit teams simply look for a binary answer of “yes we do lock out or no we don’t” with little to no understanding of the implications.

I fear this policy will be with us long after any utility to it (if there ever was any utility in the first place) is gone.

Comment on Automated Lockouts: Just Say No! by Kevin Riggins

Kevin Riggins — Fri, 20 Jun 2008 15:24:35 +0000

Andy,

Really enjoyed the post. Good stuff. As you and the other commenters have pointed out, password lockouts are another fine example of “It Depends.” Having the business folks chime in on issues like this is vitally important as you allude to with your example of stock traders not being able to work because of lockouts.

On a bit of a side note, what a great way to attack the brand of a company that relies on their people being able to access systems real-time.

Keep up the good work.

Kevin