basics logo
Security Basics Mailing List

A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

List Archives

JanFebMarAprMayJunJulAugSepOctNovDec
201012164
200925222629012828718722618618715513248
2008522537455348390290345229236376224217
2007411387275446633291260380432330326382
2006552406466411352339413354385412441415
2005454369525485319357433555461697531370
2004538454805439342371451313453606637466
200344660945559652293942210971118673712579
2002480734597

Latest Posts

Re: MSN virus Todd Haverkos (Feb 08)
xiandu () latech edu writes:

Standard advice upon a confirmed malware infection is to rebuild the
box if you want to be sure you've gotten everything. You
unfortunately can't trust the tools to find everything, let alone
fix/remove everything without causing some destabilizing issues in the
OS.

Backup data to an external drive, repartition, reformat, and reinstall
the OS from original optical media behind a hardware firewall that's
all by...

Re: Transparent vs Routed Firewall Alex (Feb 08)
Well the servers are either new or scheduled to be placed on a
different subnet either way so that's not a problem.

No. nothing of those.

exactly, that's why I asked

It does, thank you.

I think I'll stick to the "old-fashioned" routed for now but I'd like
to see the other way some time as well.

Re: SMS Banking Tim Clewlow (Feb 08)
You mentioned the "unprotected nature of SMS and mobiles in general"
and others have brought up the fact that GSM itself can be trivially
cracked ($1500 for a USRP, d/l some software, and anyone can do it).
There is also the problem of phones getting cracked and client apps
being compromised. It is not difficult to imagine a viral attack
gathering authentication data from a known (banking) app on mobile
devices and sending it all to a...

Re: SMS Banking Menerick, John (Feb 08)
Comments inline

Large risks. Take your basic one form of authentication modeled risk but multiply it greatly due to the gravity of the
information behind said SMS auth. Previous email from Craig Wright is a great start.

Everything from GSM cracking, to fuzzing via sms gateways/email providers.

Once you ignore the pages of using SMS for 2FA, http://www.google.com/search?&q=SMS+authentication should give you a
few pointers and case...

RE: SMS Banking Thor (Hammer of God) (Feb 08)
And just how do you come up with the probability of compromising the SMS function and the user authentication method?

While little formulas may go well in meetings, this hardly helps the OP with his question. You also failed to note
that the overall risk figure you calculate has to be compared to something - what are you comparing it to? If
P(Compromise) turns out to be 42, what does he do with that information?

Regarding GSM, what...

RE: SMS Banking Craig S. Wright (Feb 08)
The solution needs to be based on risk.

Where a system uses an SMS response with a separate system (such as a web
page), the probability that the banking user is compromised and a fraud is
committed, P(Compromise), can be calculated as:
P(Compromise) = P(C.SMS) x P(C.PIN)

Where: P(C.SMS) is the probability of compromising the SMS function and
P(C.PIN) is the compromise of the user authentication method

The user can...

Re: Transparent vs Routed Firewall John Morrison (Feb 08)
Chris has the right idea. Transparent does make it easier if you have
a single un-routed network. Personally I would chop the network up and
put each group of devices in a separate network. You should group your
devices so that all those that do not require any security between
them are on the same layer 3 network. You can then route and firewall
between networks as you require.

As Chris points out transparent mode avoids having to rejig your IP...

Managed Security Services mohannad . alkhalash (Feb 08)
Dear,

Managed Security Services (MSS) is an efficient approach to manage an organization's security needs. MSS is meant to
provide small, medium and large organizations the ability to leverage 24x7x365 security monitoring
and management through SOC which is "Security Operation center"in order to respond more efficiently to incidents and
become more proactive. Furthermore the functions of MSS include round-the-clock monitoring and...

Re: SMS Banking Dennis Li (Feb 08)
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server....

Re: [OT ish] Router vs Firewall - corporate environment John Morrison (Feb 08)
Martin,

If you have a Cisco router that is one of the newer ISR-type then you
can add the firewall feature set to get all the same rules as a
stateful firewall. Depending on the volume of traffic, for internal
use It may be enough.

If you have a large network and use Cisco 6500 series switches you can
plug in a Firewall Services Module and it will do firewalling as fast
as any Cisco dedicated device. As all the routing will be done in the...

Re: SMS Banking Markus Matiaschek (Feb 05)
Hi,

I'd just like to make some comments, i didn't think about a solution
for your problem.

First of all i think that my Budi wibowo got something wrong regarding
who is sending the PIN.

Second, GSM is cracked: http://reflextor.com/trac/a51 and can be
intercepted and decrypted. You should take this into account.

Third i think the only farely safe way to make money transfers is with
transaction numbers, TANs. German banks send mobileTANs to...

Re: SMS Banking Agus 'Bosen' Supriadhie (Feb 05)
How about putting a random PIN sequense?
Only 2 or 3 part from the PIN randomly input
Let say input the first and the fith of the PIN
Randomly

Sent from my BlackBerry®
powered by Sinyal Kuat INDOSAT

-----Original Message-----
From: "Budi wibowo" <bwibowo () gmail com>
Date: Thu, 4 Feb 2010 22:55:51
To: M.D.Mufambisi<mufambisi () gmail com>; <listbounce () securityfocus com>; <pen-test () securityfocus com>;...

Re: SMS Banking NetEvil (Feb 05)
Hi,
Maybe i'm too much paranoid ..and never seen an app like this before...
So i'm just pointing some thoughts about it...
SMS can easily been spoofed (once you have obtained the pin of
course...) and many "Smart" phones have often vulnerabilities to
exploit...
And i'm quite sure there are other weakness ..as you are describing
the communication and authentication...
maybe others can point you better on the subject...
However in...

Re: Re: MSN virus taser3000 (Feb 05)
Actually I have heard of things like this going on in the increase. In fact I wound up talking with a guy the other day
who was looking for someone to write him a facebook login bot that would login and add friends to a specific group:
http://www.facebook.com/group.php?gid=442142825461#

Not something I trust in the slightest. Heres the kicker: he claims to have a password list to over 2K facebook
accounts. This just so happens to match what...

Re: SMS Banking Brad Reaves (Feb 05)
One of the biggest problems will be a static pin.
SMS's are stored on user's phones in plain text. Users can't be trusted to delete every message that they send.
Users are also in the habit of leaving their phones about, where a villain could easily sift through the SMS log
(conveniently sorted automatically by phone number) for messages to the bank, see the pin, and transfer funds.
The attacker wouldn't necessarily have to be the one to receive...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]