Re: Remote Desktop Command Fixation Attacks

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Remote Desktop Command Fixation Attacks
From: hvdkooij@xxxxxxxxxxxxxxx
Date: Thu, 11 Oct 2007 23:45:05 +0200
In-reply-to: <6905b1570710101717v60bf6d40q8e822d850736b796@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570710100414m44c105a6u17728b9bbcfb9cf4@xxxxxxxxxxxxxx> <F9C0B32C4FFE7147BD0FF6A40BE806E701AC4E@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <6905b1570710101717v60bf6d40q8e822d850736b796@xxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.6 (X11/20070926)

pdp (architect) wrote:
> Thor, with no disrespect but you are wrong. Security in depth does not
> work and I am not planning to support my argument in any way. This is
> just my personal humble opinion. I've seen only failure of the
> principles you mentioned. Security in depth works only in a perfect
> world. The truth is that you cannot implement true security mainly
> because you will hit on the accessibility side. It is all about
> achieving the balance between security and accessibility. Moreover,
> you cannot implement security in depth mainly because you cannot
> predict the future. Therefore, you don't know what kinds of attack
> will surface next.
> 
> Security is not a destination, it is a process. Security in depth
> sounds like a destination to me.

Security in depth is neither a destination nor a process. It is a state
of mind. Each part should take care of itself. And it should be as
secure as possible in each step.

Hugo.

-- 
hvdkooij@xxxxxxxxxxxxxxx               http://hugo.vanderkooij.org/
        Don't meddle in the affairs of sysadmins,
        for they are subtle and quick to anger.

References:
- Remote Desktop Command Fixation Attacks
  - From: pdp (architect)
- RE: Remote Desktop Command Fixation Attacks
  - From: Thor (Hammer of God)
- Re: Remote Desktop Command Fixation Attacks
  - From: pdp (architect)

Prev by Date: SEC Consult SA-20071012-0 :: Madwifi xrates element remote DOS
Next by Date: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques
Previous by thread: RE: Remote Desktop Command Fixation Attacks
Next by thread: RE: [Full-disclosure] Remote Desktop Command Fixation Attacks
Index(es):
- Date
- Thread