Favorite Files

No favorite files added yet

Recent Posts

1. Comment - StrongWebmail apparently hacked after issuing $10K challenge

   (Jun 5, 2009 - 10:49 AM)

   I have been timing this with a stopwatch, knowing it would fail quickly. This event speaks volumes about the SMS/TExt based delivery of passwords: It is still put into the application with the internet "in line" and vulnerable to Man in the Browser, MiTM,etc.
   
   " Naturally the group is being cautious with details, but it appears that a man-in-the-middle attack did the job once the researchers established a registered account on the service."
   
   It has also been amazing to see how many security and product management professionals delivering online managed services don't understand how the internet works. One VP recently told me," our SMS is reducing fraud by 40-70%." I think we can all see that the remaining 30% can brutalize both an institution or a company product, devastating a brand over night.
   
   Phone based authentication, is fantastic and effective, so long as it is out of band. Again, the biggest problem is most companies, customers, and even software product managers, simply dont understand how attacks on the internet are implemented: Stick with the phone, but use out of band.