SMS messaging as a second factor of authentication is certainly better than nothing, but it is also a clear step backward compared to a physical or soft token.
Please take this situation into account if you are a LastPass user and patch your systems accordingly. Also, take additional precautions given the browser specific vulnerabilities that exist.
Browsers are getting marginally better in defending against compromise, especially with the progression of better sandboxing techniques, but some browsers are doing a better job than others.
Take a moment to read this article, watch the demonstrations, and then contemplate the implications. For a long time, protecting local administrative access meant protecting the confidentiality of the data stored on the server or PC tethered to those local admin credentials. This exploit / vulnerability / Windows feature (select your viewpoint here) changes the game and injects another leg of the security triad stool – integrity. Data stored or associated with a specific user session can be accessed as that user without compromising that user’s credentials and without leaving any significant forensic fingerprints.
This article alludes to the fact that Microsoft is well aware of this “feature” and most likely has no intentions of changing it. As such, we as IT security professionals and general IT practitioners must take necessary steps to mitigate the possibility of exploitation.
Not as if we needed another reason to disable TELNET on network devices, but this article is a great reminder. Please review your Cisco switch deployments and reconfigure as needed.
This article is a fun source to use to build out your reading list this spring. I have more than a few of these books on my shelf and find them very useful. Enjoy!
This should not come as a surprise to many of you, but we can all use this as a friendly reminder to evaluate all of our legacy systems and plan accordingly for decommissioning and replacement.
This article provides an interesting discussion concerning the value of encryption as one layer of defense for sensitive data, but please do not lose sight of the absolute fact that encryption is not a panacea. No defensive mechanism is perfect.
Defenses should be deployed in layers and plans should always be in place to mitigate the effects of eventual data compromise and loss. You can limit the effect of the problem, but you cannot eliminate the risk.