tag:blogger.com,1999:blog-4992951429179541948.comments2009-03-09T09:47:44.524ZEthicalHacknoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4992951429179541948.post-9567992763885811672008-12-10T22:23:12.835Z2008-12-10T22:23:12.835ZHi Francisco, you may have a valid point in saying so, but then we have to maintain a balance between security and usability. To prevent high call volumes to call centers, it may be a good idea to automate the username/password reminder process and to send the user ID or the password to the registered email address after successful user verification.EthicalHackhttp://www.blogger.com/profile/00717858528558631704noreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-50750532078863724282008-12-04T13:59:00.000Z2008-12-04T13:59:00.000ZWhat are your thoughts on the usability of this approach? Online applications are not just for preference, but to ease volume on higher cost customer channels and keep product cost down. With people maintaining so many id's and passwords, if you don't specify which is at issue, don't you think you will greatly increase call to the call center to address the forgotten id or password? Any recommendations to balance this?D. Francisco - Wisconsinnoreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-29567608008907755292008-11-23T00:55:00.000Z2008-11-23T00:55:00.000ZHello,<BR/>Most extensions enumerated in FireCAT 1.4 can be found in a package:<BR/>http://phrack.fr/tools/FireCAT-1.4.tar.gzAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-44423828369497515972008-02-11T10:32:24.581Z2008-02-11T10:32:24.581Z@ lyalc:<BR/><BR/>I totally agree with you, and as you said, requirement 6.6 is about making sure that all other steps have been followed and to catch some unthoughtful bugs and errors. I am actually trying to say that both source code review and WAF would complement each other and we cannot replace one for the other. <BR/><BR/>Moreover I would say that we can put a WAF to better use by using it as an analysis tool rather than just using it as a protection mechanism. This would help us to understand the attacks faced by an application and we can use this information to improve the security of an application to the next level.Vishal Garghttp://www.blogger.com/profile/00717858528558631704noreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-70984128670148007782008-02-09T21:58:00.000Z2008-02-09T21:58:00.000ZActually, PCI requires security throughout the SDLC (This is most of what section 6 is about). <BR/>WAFs and or third party code review is there to catch the inevitable "we didn't implement against that' gaps. and bugs.lyalcnoreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-87461279568626172982008-01-30T15:40:57.356Z2008-01-30T15:40:57.356ZI completely agree with this. The best way to secure applications would be to integrate security early into the SDLC. We may then want to add WAFs on top just to mitigate risks arising from unintentional coding errors.Vishal Garghttp://www.blogger.com/profile/00717858528558631704noreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-61273864963720589852008-01-30T14:33:00.000Z2008-01-30T14:33:00.000ZHi Vishal<BR/><BR/>IMHO this is another example of PCI DSS unintentionally promoting the use of silver bullets. An application firewall can sometimes help stop the most common attacks, but frequently it's just another appliance for security solution vendors to sell.<BR/><BR/>As you imply, there's no substitute for building security in to the development process, and for developers to be given the time and resources to write more secure code.<BR/><BR/>Don't you just love the imperatives of capitalism ;-)Peter Woodhttp://www.blogger.com/profile/18413344931309296785noreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-75244082291504599562008-01-06T09:23:00.000Z2008-01-06T09:23:00.000ZExactly what I meant, thanks. However, after further experimentation, it looks like blogger.com *does* differentiate between unknown users and wrong passwords. No so good!Peter Woodhttp://www.blogger.com/profile/18413344931309296785noreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-10596227920595595332008-01-05T21:48:32.031Z2008-01-05T21:48:32.031ZThanks Mr. Wood for being the first commentator on my blog.<BR/><BR/>I can understand your point. It would hardly matter what error message has been returned as long as the behaviour of the application remains the same no matter the username is wrong or the password is wrong. But if the application behaves differently for a wrong username to a wrong password, that would provide enough ground to an attacker to enumerate valid user accounts on that web application.Vishal Garghttp://www.blogger.com/profile/00717858528558631704noreply@blogger.comtag:blogger.com,1999:blog-4992951429179541948.post-2426535468168417002008-01-05T13:54:00.000Z2008-01-05T13:54:00.000ZAn excellent explanation Vishal. I look forward to reading how developers can mitigate these problems.<BR/><BR/>BTW blogger.com reports "incorrect password" for both a legitimate user and a false username - demonstrating they may know what they're doing!Peter Woodhttp://www.blogger.com/profile/18413344931309296785noreply@blogger.com