assurance - Re: [Assurance] silver and two-factor ...
Subject: Assurance
List archive
- From: "Joe St Sauver" <>
- To:
- Subject: Re: [Assurance] silver and two-factor ...
- Date: Tue, 13 Mar 2012 12:30:52 -0800 (PST)
"Caskey, Paul"
<>
commented:
#That said, I'm sure someone is already working on a new crafty spam mail
#"Please mail me your 2nd factor token and PIN and I will then wire you $10
#million from this Nigerian prince...". :)
There are still-"better" "solutions" that the bad guys are using when
confronting two factor users, e.g., what some have taken to calling
"man-in-the-browser" attacks. See for example:
-- "Hackers outwit online banking identity security systems"
http://www.bbc.co.uk/news/technology-16812064
-- "Sykipot variant hijacks DOD and Windows smart cards"
http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs/
And of course, malware has long sought to harvest things like client
certificates stored in software browser stores (e.g., see Figure 7 of
http://www.secureworks.com/research/threats/zeus/ ), just as malware
has long sought to steal passwords saved in browsers, etc.
Bottom line, if you have an insecure host O/S, I'm not sure anything's
going to be a silver bullet, but two factor or two channel at least
raises the bar and makes the bad guys work at least a *little* harder :-)
Regards,
Joe
- RE: [Assurance] silver and two-factor ..., (continued)
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Dunker, Mary, 03/16/2012
- Re: [Assurance] silver and two-factor ..., Tom Scavo, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/13/2012
- RE: [Assurance] silver and two-factor ..., Russell J Yount, 03/14/2012
Archive powered by MHonArc 2.6.16.