Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
IRS Attack Demonstrates How Breaches Beget More Breaches
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
6/2/2015 | 11:33:55 AM
Re: I died a little inside...
Similar to a phishing exercise this represents user awareness training. This is incorporated at institutions from time to time. However, they are not prevalent enough to reach everybody and certain business sectors will most likely never be reached. I posit that this would not be used on someone who works in retail or a services industry. At least I have not heard of instances where they have been practiced in these sectors.
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
6/1/2015 | 11:59:52 PM
Re: I died a little inside...
One idea: Hack them.

Let your security department be responsible for pen-testing, including social engineering and attacking employee passwords.  Have the employees who fail complete brief remedial training exercises.
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
6/1/2015 | 10:22:17 AM
Re: I died a little inside...
That is definitely true for some and I agree. It's the touch the stove principle. Until you get burnt, then its hard to see why not to take the easier method. Or parents that have rules for their children but never enforce them....It may be pessimistic to say but not everyone adopts reason for the sake of reason. Many will sacrifice the right method for the sake of ease and we see this time and time again in this discussion.
macker490
50%
50%
macker490,
 User Rank: Ninja
6/1/2015 | 8:00:53 AM
passwords are NOT the principle issue
computers are most often compromised by "phishing" attacks,-- the "click here for cool" sort of thing,-- which of course results in a TROJAN infecting the client computer   example: RSA hack.

the base problem in this is that your operating software should not allow itself to be compromised by the activity of an application program.   this was implemented in IBM System/360 in *1964* and in x86 at 80386 .   if you must use operating software that is vulnerable to trojans the best plan is to isolate such systems from the public facing internet.   generally best practice should limit public facing access to the net to those systems which require that access -- and then make a *thorough review* of protection, *particularly* paying attention to *sanitizing* inputs.    Let me put that down again: Inputs *MUST* be *sanitized* .

Hackers are not going about hunting down individual machines to see if they can crack the password.   they want to swing a wide loop and rake in as many victims as possible *automatically* -- they don't have time to fuss with cracking passwords except for high value targets.   for high value targets they will start with a rainbow table -- but a rainbow table only works *after* the passwords hash table has been stolen -- which of course -- should not be allowed to hapen .   Sanitize those inputs: SQL injection is the most likely means of exfiltrating your passwords table .

high value targets *will* be attacked individually; generally by searching for a means of getting remote administrator access.   but "high value" targets *should* be administered by folks who know to use high security (randomly generated) passwords -- and not to release these over the phone or by some insecure link such as an email that is not using PGP.   example HB Gary


it is *critical* to remember: a password can be changed if it is compromised,-- your biometrics -- fingerprints, irs scans, DNA and such -- cannot.   these are digitized by ID systems and the data serves in the same manner as any other password.   the two critical problems with biometric ID are (1) you cannot change your biometric "password", and (2) you cannot be anonymous

marketing and the NSA prefer that you *NOT* be anonymous

"Best Practice" documents for computers generally recommend changing passwords on a periodic basis.
Paladium
50%
50%
Paladium,
 User Rank: Moderator
6/1/2015 | 7:11:16 AM
Re: I died a little inside...
I am much more of a pessimist here.  I am quite certain these people know full well the need for complex passwords but just don't care... until caught.  It's a matter of convenience.  Like so many other issues seen today from social, politics, sports, etc....  until people start being held accountable they will continue to act out of their own self interests.  Very sad but true.
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
5/31/2015 | 11:29:32 PM
Re: I died a little inside...
@Joe. Very true. There is so much data behind the top worst passwords for the year being favorite sports teams, foods, or vacation spots. We see the statistics all the time. 

Here's the trick. How do we reach those people? The people who are not yet aware of the dangers these lack luster controls may bring. Much of the population utilize technology because it is a day-to-day mandate, but only a very small portion are tech savvy. How can we make the message more comprehensive.
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:25:13 PM
Re: I died a little inside...
@Paladium: Of course, I fully expect Koskinen et al. to hold this up as reason why the IRS needs a higher budget.
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:24:24 PM
Re: I died a little inside...
@Ryan: More the point, how many people's passwords are, simply, "pizza" -- or some variation thereon (for instance, "[email protected]")?
Joe Stanganelli
100%
0%
Joe Stanganelli,
 User Rank: Ninja
5/30/2015 | 11:36:03 PM
Re: I died a little inside...
I love how the federal government is pushing biometrics on the private sector with a universal ID (which will help it track citizens' private affairs), but they can't get their own security house in order to protect private citizen data from hackers.

Ridiculousness.
macker490
50%
50%
macker490,
 User Rank: Ninja
5/30/2015 | 8:21:15 AM
Re: Secure Computing in a Compromised Environment
"Will Secure Communications become the norm?"   That it seems is the fifty-billion dollar question!

we have powerful interests vehimently opposed to security software.  Their concern is that it cripples their data gathering projects.   on the other hand we have a *serious* problem with hacking

which brings us to the interesting question: where's the "Tipping Point" ?  The opposition holds the "bully pulpit" but their argumnents are a bit less than forthright.    which leads me to suspect there will be a sea change in the near fiuture

interestingly version 2.1 of the Gnu Privacy Guard is now supporting Eliptic Curve Technology -- which helps to solve the questions about the use of large prime numbers used in traditional PGP .

interesting topic
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Google Cloud Debuts Threat-Detection Service
Robert Lemos, Contributing Writer,  9/23/2020
Shopify's Employee Data Theft Underscores Risk of Rogue Insiders
Kelly Sheridan, Staff Editor, Dark Reading,  9/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25772
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25773
PUBLISHED: 2020-09-29
A vulnerability in the Trend Micro Apex One ServerMigrationTool component could allow an attacker to execute arbitrary code on affected products. User interaction is required to exploit this vulnerability in that the target must import a corrupted configuration file.