Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
IRS Attack Demonstrates How Breaches Beget More Breaches
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
RyanSepe,
 User Rank: Ninja
6/2/2015 | 11:33:55 AM
Re: I died a little inside...
Similar to a phishing exercise this represents user awareness training. This is incorporated at institutions from time to time. However, they are not prevalent enough to reach everybody and certain business sectors will most likely never be reached. I posit that this would not be used on someone who works in retail or a services industry. At least I have not heard of instances where they have been practiced in these sectors.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
6/1/2015 | 11:59:52 PM
Re: I died a little inside...
One idea: Hack them.

Let your security department be responsible for pen-testing, including social engineering and attacking employee passwords.  Have the employees who fail complete brief remedial training exercises.
RyanSepe
RyanSepe,
 User Rank: Ninja
6/1/2015 | 10:22:17 AM
Re: I died a little inside...
That is definitely true for some and I agree. It's the touch the stove principle. Until you get burnt, then its hard to see why not to take the easier method. Or parents that have rules for their children but never enforce them....It may be pessimistic to say but not everyone adopts reason for the sake of reason. Many will sacrifice the right method for the sake of ease and we see this time and time again in this discussion.
macker490
macker490,
 User Rank: Ninja
6/1/2015 | 8:00:53 AM
passwords are NOT the principle issue
computers are most often compromised by "phishing" attacks,-- the "click here for cool" sort of thing,-- which of course results in a TROJAN infecting the client computer   example: RSA hack.

the base problem in this is that your operating software should not allow itself to be compromised by the activity of an application program.   this was implemented in IBM System/360 in *1964* and in x86 at 80386 .   if you must use operating software that is vulnerable to trojans the best plan is to isolate such systems from the public facing internet.   generally best practice should limit public facing access to the net to those systems which require that access -- and then make a *thorough review* of protection, *particularly* paying attention to *sanitizing* inputs.    Let me put that down again: Inputs *MUST* be *sanitized* .

Hackers are not going about hunting down individual machines to see if they can crack the password.   they want to swing a wide loop and rake in as many victims as possible *automatically* -- they don't have time to fuss with cracking passwords except for high value targets.   for high value targets they will start with a rainbow table -- but a rainbow table only works *after* the passwords hash table has been stolen -- which of course -- should not be allowed to hapen .   Sanitize those inputs: SQL injection is the most likely means of exfiltrating your passwords table .

high value targets *will* be attacked individually; generally by searching for a means of getting remote administrator access.   but "high value" targets *should* be administered by folks who know to use high security (randomly generated) passwords -- and not to release these over the phone or by some insecure link such as an email that is not using PGP.   example HB Gary


it is *critical* to remember: a password can be changed if it is compromised,-- your biometrics -- fingerprints, irs scans, DNA and such -- cannot.   these are digitized by ID systems and the data serves in the same manner as any other password.   the two critical problems with biometric ID are (1) you cannot change your biometric "password", and (2) you cannot be anonymous

marketing and the NSA prefer that you *NOT* be anonymous

"Best Practice" documents for computers generally recommend changing passwords on a periodic basis.
Paladium
Paladium,
 User Rank: Moderator
6/1/2015 | 7:11:16 AM
Re: I died a little inside...
I am much more of a pessimist here.  I am quite certain these people know full well the need for complex passwords but just don't care... until caught.  It's a matter of convenience.  Like so many other issues seen today from social, politics, sports, etc....  until people start being held accountable they will continue to act out of their own self interests.  Very sad but true.
RyanSepe
RyanSepe,
 User Rank: Ninja
5/31/2015 | 11:29:32 PM
Re: I died a little inside...
@Joe. Very true. There is so much data behind the top worst passwords for the year being favorite sports teams, foods, or vacation spots. We see the statistics all the time. 

Here's the trick. How do we reach those people? The people who are not yet aware of the dangers these lack luster controls may bring. Much of the population utilize technology because it is a day-to-day mandate, but only a very small portion are tech savvy. How can we make the message more comprehensive.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:25:13 PM
Re: I died a little inside...
@Paladium: Of course, I fully expect Koskinen et al. to hold this up as reason why the IRS needs a higher budget.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:24:24 PM
Re: I died a little inside...
@Ryan: More the point, how many people's passwords are, simply, "pizza" -- or some variation thereon (for instance, "[email protected]")?
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/30/2015 | 11:36:03 PM
Re: I died a little inside...
I love how the federal government is pushing biometrics on the private sector with a universal ID (which will help it track citizens' private affairs), but they can't get their own security house in order to protect private citizen data from hackers.

Ridiculousness.
macker490
macker490,
 User Rank: Ninja
5/30/2015 | 8:21:15 AM
Re: Secure Computing in a Compromised Environment
"Will Secure Communications become the norm?"   That it seems is the fifty-billion dollar question!

we have powerful interests vehimently opposed to security software.  Their concern is that it cripples their data gathering projects.   on the other hand we have a *serious* problem with hacking

which brings us to the interesting question: where's the "Tipping Point" ?  The opposition holds the "bully pulpit" but their argumnents are a bit less than forthright.    which leads me to suspect there will be a sea change in the near fiuture

interestingly version 2.1 of the Gnu Privacy Guard is now supporting Eliptic Curve Technology -- which helps to solve the questions about the use of large prime numbers used in traditional PGP .

interesting topic
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-43665
PUBLISHED: 2023-02-02
A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2022-2546
PUBLISHED: 2023-02-02
The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response tha...
CVE-2023-0400
PUBLISHED: 2023-02-02
The protection bypass vulnerability in DLP for Windows 11.9.x is addressed in version 11.10.0. This allowed a local user to bypass DLP controls when uploading sensitive data from a mapped drive into a web email client. Loading from a local driver was correctly prevented. Versions prior to 11.9 corre...
CVE-2023-0637
PUBLISHED: 2023-02-02
A vulnerability, which was classified as critical, was found in TRENDnet TEW-811DRU 1.0.10.0. This affects an unknown part of the file wan.asp of the component Web Management Interface. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The exploit has been ...
CVE-2023-0638
PUBLISHED: 2023-02-02
A vulnerability has been found in TRENDnet TEW-811DRU 1.0.10.0 and classified as critical. This vulnerability affects unknown code of the component Web Interface. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may b...