Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
IRS Attack Demonstrates How Breaches Beget More Breaches
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
RyanSepe,
 User Rank: Ninja
6/2/2015 | 11:33:55 AM
Re: I died a little inside...
Similar to a phishing exercise this represents user awareness training. This is incorporated at institutions from time to time. However, they are not prevalent enough to reach everybody and certain business sectors will most likely never be reached. I posit that this would not be used on someone who works in retail or a services industry. At least I have not heard of instances where they have been practiced in these sectors.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
6/1/2015 | 11:59:52 PM
Re: I died a little inside...
One idea: Hack them.

Let your security department be responsible for pen-testing, including social engineering and attacking employee passwords.  Have the employees who fail complete brief remedial training exercises.
RyanSepe
RyanSepe,
 User Rank: Ninja
6/1/2015 | 10:22:17 AM
Re: I died a little inside...
That is definitely true for some and I agree. It's the touch the stove principle. Until you get burnt, then its hard to see why not to take the easier method. Or parents that have rules for their children but never enforce them....It may be pessimistic to say but not everyone adopts reason for the sake of reason. Many will sacrifice the right method for the sake of ease and we see this time and time again in this discussion.
macker490
macker490,
 User Rank: Ninja
6/1/2015 | 8:00:53 AM
passwords are NOT the principle issue
computers are most often compromised by "phishing" attacks,-- the "click here for cool" sort of thing,-- which of course results in a TROJAN infecting the client computer   example: RSA hack.

the base problem in this is that your operating software should not allow itself to be compromised by the activity of an application program.   this was implemented in IBM System/360 in *1964* and in x86 at 80386 .   if you must use operating software that is vulnerable to trojans the best plan is to isolate such systems from the public facing internet.   generally best practice should limit public facing access to the net to those systems which require that access -- and then make a *thorough review* of protection, *particularly* paying attention to *sanitizing* inputs.    Let me put that down again: Inputs *MUST* be *sanitized* .

Hackers are not going about hunting down individual machines to see if they can crack the password.   they want to swing a wide loop and rake in as many victims as possible *automatically* -- they don't have time to fuss with cracking passwords except for high value targets.   for high value targets they will start with a rainbow table -- but a rainbow table only works *after* the passwords hash table has been stolen -- which of course -- should not be allowed to hapen .   Sanitize those inputs: SQL injection is the most likely means of exfiltrating your passwords table .

high value targets *will* be attacked individually; generally by searching for a means of getting remote administrator access.   but "high value" targets *should* be administered by folks who know to use high security (randomly generated) passwords -- and not to release these over the phone or by some insecure link such as an email that is not using PGP.   example HB Gary


it is *critical* to remember: a password can be changed if it is compromised,-- your biometrics -- fingerprints, irs scans, DNA and such -- cannot.   these are digitized by ID systems and the data serves in the same manner as any other password.   the two critical problems with biometric ID are (1) you cannot change your biometric "password", and (2) you cannot be anonymous

marketing and the NSA prefer that you *NOT* be anonymous

"Best Practice" documents for computers generally recommend changing passwords on a periodic basis.
Paladium
Paladium,
 User Rank: Moderator
6/1/2015 | 7:11:16 AM
Re: I died a little inside...
I am much more of a pessimist here.  I am quite certain these people know full well the need for complex passwords but just don't care... until caught.  It's a matter of convenience.  Like so many other issues seen today from social, politics, sports, etc....  until people start being held accountable they will continue to act out of their own self interests.  Very sad but true.
RyanSepe
RyanSepe,
 User Rank: Ninja
5/31/2015 | 11:29:32 PM
Re: I died a little inside...
@Joe. Very true. There is so much data behind the top worst passwords for the year being favorite sports teams, foods, or vacation spots. We see the statistics all the time. 

Here's the trick. How do we reach those people? The people who are not yet aware of the dangers these lack luster controls may bring. Much of the population utilize technology because it is a day-to-day mandate, but only a very small portion are tech savvy. How can we make the message more comprehensive.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:25:13 PM
Re: I died a little inside...
@Paladium: Of course, I fully expect Koskinen et al. to hold this up as reason why the IRS needs a higher budget.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/31/2015 | 11:24:24 PM
Re: I died a little inside...
@Ryan: More the point, how many people's passwords are, simply, "pizza" -- or some variation thereon (for instance, "[email protected]")?
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
5/30/2015 | 11:36:03 PM
Re: I died a little inside...
I love how the federal government is pushing biometrics on the private sector with a universal ID (which will help it track citizens' private affairs), but they can't get their own security house in order to protect private citizen data from hackers.

Ridiculousness.
macker490
macker490,
 User Rank: Ninja
5/30/2015 | 8:21:15 AM
Re: Secure Computing in a Compromised Environment
"Will Secure Communications become the norm?"   That it seems is the fifty-billion dollar question!

we have powerful interests vehimently opposed to security software.  Their concern is that it cripples their data gathering projects.   on the other hand we have a *serious* problem with hacking

which brings us to the interesting question: where's the "Tipping Point" ?  The opposition holds the "bully pulpit" but their argumnents are a bit less than forthright.    which leads me to suspect there will be a sea change in the near fiuture

interestingly version 2.1 of the Gnu Privacy Guard is now supporting Eliptic Curve Technology -- which helps to solve the questions about the use of large prime numbers used in traditional PGP .

interesting topic
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...