Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Timothy J. Miller (tmillermitre.org)
Date: Tue Apr 24 2007 - 15:28:21 CDT
Roy Keene (Contractor) wrote:
> Thus if your workstation is in a significantly increased position of
> risk (i.e., you do not apply security patches, and are not on a network
> that blocks known-bad attackers, and there is no IDS/IPS) then any
> e-mail you send is at a significantly increased risk of being tampered
> with, and any encrypted transmission are at a significantly increased
> risk of being intercepted with.
This is only true if you're leaving the card in the reader. I would say
don't do that; the card should only be inserted when the card is needed
for an operation, limiting the window during which malicious code can
piggyback an authenticated card session (or start its own).
Fundamentally this is a trusted path issue and is as true on managed as
well as unmanaged machines. If you're interested in the problem, I
recommend Balfanz & Felton's paper "Handheld computers can be better
smart cards" as a starting point. (ObNameDrop: I was at USENIX SEC'99
where this paper was presented.)
> Certainly, it still happens on a network that follows DISA guidelines,
> but it happens very infrequently and is almost always detected.
Isn't the illusion of security grand? ;) Seriously--as has been
reported recently in the open media--there have been multiple,
long-running intrusions into DoD networks that went undetected for months.
Muscle mailing list
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature