Language:
switch to room list switch to menu My folders
Go to page: 1 2 [3]
[#] Tue Mar 08 2016 10:46:10 EST from zooer

[Reply] [ReplyQuoted] [Headers] [Print]

I was in such shock to see Ed Shultz still on TV it didn't think too much about McAffee's statement.  he said he was lying. I think we knew that,

http://www.news.com.au/technology/online/security/john-mcafee-said-he-lied-about-how-he-would-crack-iphone-to-draw-attention-to-the-deception-of-the-fbi/news-story/83796467e74b31c1c2ea5717406a77e9

But he had a reason to do it.

McAffees motto should be "Whose to blame?  Hookers and cocaine!"



[#] Sat Mar 12 2016 05:57:42 EST from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]


Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid

http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

(The conventional wisdom is clearly wrong; this hack wasn't perpetrated by Putin & Co; it was obviously done by Bernie Sanders' campaign staff in an unauthorized data-trolling operation. More on that theory later when I'm sober.)

[#] Mon Mar 14 2016 00:41:48 EDT from ax25

[Reply] [ReplyQuoted] [Headers] [Print]

Good read LoanShark.  Thanks for posting.  I hate to think that sysadmins were the weak link here, but I suppose some of them can be co-opted to run a MS Word macro.

 Paranoia, the destroyer.

 



[#] Mon Mar 14 2016 07:49:15 EDT from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]


Seems equally plausible that the attackers co-opted a normal user or plant operator level account first, and gradually escalated their privileges once they gained a toehold. They had plenty of time to do that - 6 months or so.

[#] Thu Mar 24 2016 11:31:25 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Why would they do that?  Data encryption at rest is more important than ever.

I'd actually be far more interested in seeing device vendors set up a mode where the device tells your employer's email server "yeah yeah, you have permission to remote wipe the device etc. etc." but not actually do that.



[#] Thu Mar 24 2016 15:02:45 EDT from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]


Huh?

[#] Fri Mar 25 2016 22:23:54 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

For a lot of people, getting your work email on your phone requires accepting a device policy that gives the administrator of the email server permission to remote-wipe the device.  And of course there are mobile device managers that can get even more heinous than that.

If device manufacturers truly cared about their customers, they would create a mode where it tells the email server that it was given permission to remote-wipe the device, but if such a request actually comes across, tells the server to go shit in its hat.



[#] Sat Mar 26 2016 10:21:57 EDT from dothebart

[Reply] [ReplyQuoted] [Headers] [Print]

you should cosider that in case of device loss you may not want the finder be able to access your data.



[#] Sat Mar 26 2016 10:34:31 EDT from zooer

[Reply] [ReplyQuoted] [Headers] [Print]

*This* is why we can't have nice things.



[#] Mon Mar 28 2016 11:59:53 EDT from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

Why would they do that?  Data encryption at rest is more important
than ever.

Oh, was this in response to the Amazon FireOS comment?

[#] Sat Jul 09 2016 23:37:40 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Yup.

[#] Fri Aug 05 2016 11:05:51 EDT from the_mgt

[Reply] [ReplyQuoted] [Headers] [Print]

http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/

This article annoys me. The example provided just is a piss poor excuse for bad password changing policy. Which is used almost anywhere, I acknowledge.

Admin's should be way more demanding, 50% difference to all previous passwords, or something like that. I dunno how feasable that is with hashed and salted passwords, though.

In general, passwords should be at least 20 chars long and they must not contain a number. There are only 10 digits, why reduce your entropy on one char, if you could simply demand one char more and let the user choose it? People will use a 1 or their birthdate (visible on facebook) or some other stupid number.

On long term, we need to overcome passwords, there must be something smarter. My 30 char long passphrases are a nightmare on touchscreens to enter. And the more often you mistype, the easier it is for somebody to spy on your fingers.

The problem with passwords at all my clients is always the boss or the bosses. They choose the easiest and worst passwords ever, I even have one that uses 12345, another site uses a common 4 letter word for admin logins (and at the same time disable dhcp for security reasons, so the network is harder to hack *...). They always want to know the passwords of everyone else, so they can "log in to their computers, if needed." So passwords need to be stored on paper somewhere in the office, which then lands on the server as a scanned page. Or there is a password text file on the public share.

So, besides the xkcd hint, is there any good guide that a boss would understand for a password policy in the office?

* This disabling dhcp hack is a common security by obscurity trick, that would have stopped me for like 15 minutes when I was 14. In the age of ubiquitious internet, it does probably only stop the persons that want to use the network with good intentions.



[#] Fri Aug 05 2016 12:23:38 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

The reason the XKCD hint is so popular is because it describes the problem in terms anyone can understand. Long passwords are better than complex passwords.
Password complexity requirements make people write down their passwords (or store them in some unsecure location online) which completely ruins the whole objective.

And although all reasonable people understand that, the people who do security policy all seem to stick with complexity requirements because that's the current "standard" and no one wants to go out on a limb to buck it. Realistically, password policies should be like "contain a symbol or hieroglyphics *or* be more than 20 characters"

[#] Tue Aug 09 2016 23:54:53 EDT from wizard of aahz

[Reply] [ReplyQuoted] [Headers] [Print]

When I used to do Sarbanes-Oxley remediations and change control implementations I would inevitable be in a CTO's office on the third or fourth day of the project and hand them a list of 20 passwords. They'd look at me incredulously. I'd tell them "You have great password security.. 10 characters. Must have upper, lower, number and or symbol. Changes required every 90 days. No repetitions from previous passwords. No repeating characters. Just superb.. No one can rememebr their passwords. It's all written on sticky notes on their monitors. Let's come up with something more useful."

[#] Fri Aug 12 2016 03:40:33 EDT from the_mgt

Subject: additional tags: #rants #workplace

[Reply] [ReplyQuoted] [Headers] [Print]

It seems to be a common "best practice" by windows admins to disable DHCP as a layer of security, so that it "is harder to hack the network". Ok, I have only seen this at two clients side, but both of them share the following:

1. It is incredibly hard to do any normal admin work, like hooking up a new computer, replace a network device, etc. Because you need to put the MAC address on the whitelist and maybe add a distinct address to the host. The result is, people issue a hardwired IP in the device and forget to document that.

2. They use the worst passwords ever, enforce absolutely no password policy and users never have to change their passwords.

 

They use passwords like "pass" in the one place, for admin accounts. In the other place, there are local admin accounts on the machines with absolutely no password at all. And all the switches communicate with the "intelligent management console" via ... telnet. Logging in with the very same masterpassword... which is slightly identical to the domain admin password. Oh, and most important people share the very same simple password for all their computer accounts, "because we need to use the other persons computer a lot". (In a domain scenario, where you could login with your own account to the other computer. But people do not save files on the server, they use their own desktop, so..)

So, while I as an admin that only hooks up gear to the network have to jump through hoops and get to enjoy typing in hundreds of MAC adresses, the people with the most confidential data act like total retards and only need to memorize one utterly mongoloid password. Which is also a common term at the place, so it is easily guessable on top of all that.

Lesson learned: "Der Fisch fängt immer am Kopf an zu stinken." A german proverb, stating that the fish begins to smell from the head on, when it rots. In all places I have worked for, the more important the people or the files, the more stupid the passwords and the behavior. (Guess where the master password list is stored in clear text?!)



[#] Fri Aug 12 2016 14:04:44 EDT from IGnatius T Foobar

Subject: Re: additional tags: #rants #workplace

[Reply] [ReplyQuoted] [Headers] [Print]

Disabling DHCP as a means of keeping away an intruder who has already gained access to the physical network is only going to slow them down by a tiny bit.  They'll just sniff the wire for a minute or two to figure out its addressing scheme, and look for traffic on port 53 to learn the location of the DNS servers.  In fact, a good attacker will do that even in the presence of a DHCP server, to avoid having any DHCP requests logged.

I haven't seen a lot of access networks having DHCP disabled as a security measure.  What I do see often though, in a larger organization, is the Windows, Linux, and Network teams fighting over who gets to run the DHCP server, and gains the control it offers.