Posts by cbrenton

Nothing new

Most of us have been seeing 0-day phishing since 2002, so this is really nothing new. Except of course to the folks that really don't monitor their network and let this fly under the radar.

This really comes down to application control. If you let users install unchecked software on their systems, they are going to get 0wn3d. It amazes me how many Admins will still initially react with "Oh no, we can't stop users from installing software in this environment". By running the software in monitoring mode I can usually show them that users need access to < 20 well known apps. Lock down installation to only these select programs and suddenly Malware and 0-Day are far less of an issue.

Hard to feel back for the guy

I think the author needs a bit of perspective. Per the article Marlinspike:

Created the bogus PayPal cert

Created the tool that lets you use it to hijack SSL/TLS

Trained people in how to perform the attack

Not really sure why we are suppose to be surprised that PayPal wants nothing to do him.

Is anti-virus even relevant for corporate use?

Of course anti-virus is going to fail. Symantec and F-Secure claim they are seeing 11,000+ new pieces of malware daily. There is no way to defend against a flood like that with a signature based solution.

Most of my clients have migrated to application control which makes malware a non-issue. I have a few write ups on my blog if anyone is interested: http://www.chrisbrenton.org/?s=malware

All the eggs in one basket

AES (like DES before it) was suppose to last 30 years. We're less than 10 years in with significant problems being found. Not a good sign for data with long term value. If it only takes another 3-5 years for these attacks to be practical, what's to stop an attacker from recording and sitting on the ciphertext till then?

The fix for those who are concerned is to simply change ciphers (I'm still big on Blowfish myself). IMHO this has bigger implications for solutions where AES is your only data privacy option. Good example is WPA. If AES falls you are in trouble because AES is the only supported privacy option. I've documented a work around if anyone is interested: http://www.chrisbrenton.org/2009/07/eliminating-the-need-for-wpa-in-the-enterprise-part1/