ORLANDO, Fla. -- Jason Mortensen
has done enough penetration testing to know it's not hard to steal passwords, pretend you're someone else and do all kinds of nasty things online. He
said attackers triumph all the time by manipulating predictable Web session IDs, guessing passwords, stealing and replaying cookies, keystroke logging, network sniffing and tricking users into clicking on malicious links. "Far too many times I've found that developers put plaintext information in cookies, URLs or HTML hidden fields as a way to manage sessions," said Mortensen, an IT security engineer with Motorola's information protection services division.
"This is really scary, a horrible practice since the information can easily be modified by an attacker."
Enterprises can blunt these attacks by enforcing strong password rules, educating users, implementing stronger session management and exploring alternative ways to authenticate users, he
...Jason MortensenIT security manager, Motorola's information protection services division
think the technology is the answer to all the attacks he
"I'm not sure," he