Myths of Security. by John Viega



Market wants to believe that one security product will solve all their security problems.
Update AV,software and talk to genuine sites online.
good and bad intelligent guys.
security is a performance overhead.
Making things simple  can be difficult.
There is no silver bullet for any solution.
Intention: money,ego
Nothing can ever be frozen in the software field.
selling to endusers or companies?
illegal software masquerading as legal.
security  problem of browser.
geting access to one pc on corporate lan.
what data of yours is available on social networking sites can be used to create a personalized attack on you.
compromise a website/page that has active users.
rest attack.
get control of a system and use it for further attacks using botnet software.
vendors who do lots of different things are rarely best at anything.
ad companies are evil.
dat files or signature files.
if there are no thieves, the police has no job. if there is no one to buy, the one who sells is out of job.
what is the duration between the  software upgrade release, vulnerability detected & malware created, AV detects the malware and software patch released and patch upgraded?
heuristic detection
cryptographic signature verification.
network address translation
some security companies create fear and sell.
Bruce Schneier
John Viega
north of 80%
It is important to be passionate about security.
closed software may have more bugs than open but source code is not available.
it is not if you are best, it is if you are better than your competition.
out of sight, out of mind..advertising.
virtualization and security.
security problems exist, found by bad guys,  found by good guys, found by strong guys.not found.
process of finding involves costs. if found by bad guy, can cause loss of face,data,control,money
PCI payment card industry
disclosure models: let it all hang out, keep it secret, responsible disclosure.
pwn=own
dvlabs tippingpoint zeroday
n(network)ips-h(host)ips intrusion prevention systems.
Cisco Router Operating System IOS.
Middle attacks are possible using ARP poisoning using tools like Dsniff,ethercap, Cain & Abel or using an unencrypted Wireless Access Point.
insider / physical attack.
electronic locks.
disconnect between academics and industry
craptcha/decaptcher.com    Usability trade-off
Minimal (A.V)bar is better than no bar.
No death for passwords.
Lock a valid user intentionally.
Zero Knowledge password protocol.
One time password. zork.org/opus
Site specific password with generic string
sxipper.com Firefox password storage plugin
First lines of a popular sentence.
goodpassword.com
Spam    Legitimate mails may go there
Junk mail from legitimate users?
mailnator.com/mxlogic.com
Sitekey/ 2 factor auth
False positives.

Comments

Anonymous said…
來看看你囉~blog很棒! ...........................................................................
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

aigiri nandini - Brodha V you rock

the art of mithila yves vequad