Thursday, August 20, 2009

Cookies are bad with strong auth in web apps

Here is a great write up by VeriSign on why using cookies for mutli-factor authentication is a bad idea. I think they obviously have a solution up their sleeves which will make them money, but besides this I think the point is still valid. It's well worth the read.

No Firewall - How to beat Jordan and Kasparov

I read an interesting blog post (http://1raindrop.typepad.com/1_raindrop/2009/08/there-are-no-firewalls-or-how-to-beat-michael-jordan-and-garry-kasparov.html) the other day which I thought was important enough to blog about.  This is good stuff to remember.
 
 

ask the client to draw up their security architecture on the whiteboard. This inevitably contains a firewall as one of the central pieces. Next, I ask them what is "behind" the firewall, describe the assets, their valuable to the business and so on. Then, I say "now imagine the firewall is not there. What would your security architecture look like? What would protect your assets, your data, your users, your apps?" Then I list off a series of attacks that take no notice of the firewall's presence because they were designed to circumvent it from the get go. From an attacker's point of view a firewall is a speed bump, not an immoveable object. Its simply a question of looking at it from a different point of view. Typically, at this point the blood drains from my colleagues' faces.

I call this the Michael Jordan/Garry Kasparov situation.

Question: how can you beat Michael Jordan & Garry Kasparov?

Answer: Get Jordan to play any game except basketball and Kasparov to play any game but chess.