June 12, 2012 at 5:16 pm #7633Don DonzalKeymaster
Here’s another free webcast from Rapid7, home of Metasploit and Nexpose, that I thought might be a great help when securing your own environment as well as talking to the higher ups. Good luck with that one. 😉
[align=center:2twq1y7a]Life's a Breach! Lessons Learned from Recent High Profile Breaches[/align:2twq1y7a]
In the current threat environment, the chances of getting breached are pretty high. What are the steps you’ve taken to reduce that risk? In the event it does happen, what actions will you take to act quickly?
Join Marcus Carey, Security Researcher at Rapid7, for a free webcast, “Life’s a Breach! Lessons learned from recent high profile breaches,” on Thursday, June 14 at 2:00 pm EDT. The webcast will discuss what we can learn from recent high profile breaches, including LinkedIn and Global Payments.
Marcus will identify:
• Attacker profiles and their modus operandi
• Common security miscues
• Cryptography and cryptanalysis best practices
• Incident response and business continuity best practices
Attendees of this webcast will gain practical advice on best practice approaches to minimizing the risk and potential business impact of a breach.
Reserve your spot now – space is limited
June 12, 2012 at 7:02 pm #47667rattisParticipant
I’d like to see it, but don’t like the idea of having to supply some of the information they’re asking for. I don’t want them to think I’m a possible sales lead when i’m not.
June 12, 2012 at 9:21 pm #47668unicitydParticipant
Here’s the lesson: use bcrypt.
The reason the LinkedIn hack resulted in so much criticism is that the passwords were all hashed without any sort of password stretching or salting. Salting prevents precomputation and forces the attacker to guess each password separately; brute force can’t scale for multiple users. Stretching also destroys rainbow tables and makes brute force much slower. Some people have criticized LinkedIn for using SHA-1 but that’s beside the point. With salting and stretching, even MD5 would be fine (although I’d use SHA-256 or better).
Nobody should design their own scheme here. Salting and stretching are already implemented in bcrypt, scrypt, and PBKDF2. Use one of those. Scrypt is new, but bcrypt has been in OpenBSD for more than a decade and is pretty widely supported. PBKDF2 is standardized in RSA’s PKCS #5 and in RFC 2898. Bcrypt and Scrypt appear to be the strongest options.
- You must be logged in to reply to this topic.