Am 10.04.2014 00:32, schrieb Craig Holmes: > On April 8, 2014 10:21:34 AM Matthew Musingo wrote: >> Even if your systems were patched an attacker could have already attained >> the secrets. >> >> Certs and other sensitive information need to be reconsidered for >> replacement or changed > How realistic is it that an attacker would be able to glean passwords through > this vulnerability? Programatically searching through 64k memory dumps for > certificates seems plausible, but looking for passwords does not. A password > is > of no pre-determined length or format. So unless you know what strings are > wrapped around it (and those strings are reliably presented), isn't the loss > of some types of sensitive information.... unlikely? it is very realistic and already happened Anonymous Austria yesterday posted about online banking transactions with screenshots auf the data-dumps, webmail-accounts and so on over many hours and for a short tiemframe there where even folder with thousands of such dumps online
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/