Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
IRS Attack Demonstrates How Breaches Beget More Breaches
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
RyanSepe,
User Rank: Ninja
6/2/2015 | 11:33:55 AM
Re: I died a little inside...
Similar to a phishing exercise this represents user awareness training. This is incorporated at institutions from time to time. However, they are not prevalent enough to reach everybody and certain business sectors will most likely never be reached. I posit that this would not be used on someone who works in retail or a services industry. At least I have not heard of instances where they have been practiced in these sectors.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/1/2015 | 11:59:52 PM
Re: I died a little inside...
One idea: Hack them.

Let your security department be responsible for pen-testing, including social engineering and attacking employee passwords.  Have the employees who fail complete brief remedial training exercises.
RyanSepe
RyanSepe,
User Rank: Ninja
6/1/2015 | 10:22:17 AM
Re: I died a little inside...
That is definitely true for some and I agree. It's the touch the stove principle. Until you get burnt, then its hard to see why not to take the easier method. Or parents that have rules for their children but never enforce them....It may be pessimistic to say but not everyone adopts reason for the sake of reason. Many will sacrifice the right method for the sake of ease and we see this time and time again in this discussion.
macker490
macker490,
User Rank: Ninja
6/1/2015 | 8:00:53 AM
passwords are NOT the principle issue
computers are most often compromised by "phishing" attacks,-- the "click here for cool" sort of thing,-- which of course results in a TROJAN infecting the client computer   example: RSA hack.

the base problem in this is that your operating software should not allow itself to be compromised by the activity of an application program.   this was implemented in IBM System/360 in *1964* and in x86 at 80386 .   if you must use operating software that is vulnerable to trojans the best plan is to isolate such systems from the public facing internet.   generally best practice should limit public facing access to the net to those systems which require that access -- and then make a *thorough review* of protection, *particularly* paying attention to *sanitizing* inputs.    Let me put that down again: Inputs *MUST* be *sanitized* .

Hackers are not going about hunting down individual machines to see if they can crack the password.   they want to swing a wide loop and rake in as many victims as possible *automatically* -- they don't have time to fuss with cracking passwords except for high value targets.   for high value targets they will start with a rainbow table -- but a rainbow table only works *after* the passwords hash table has been stolen -- which of course -- should not be allowed to hapen .   Sanitize those inputs: SQL injection is the most likely means of exfiltrating your passwords table .

high value targets *will* be attacked individually; generally by searching for a means of getting remote administrator access.   but "high value" targets *should* be administered by folks who know to use high security (randomly generated) passwords -- and not to release these over the phone or by some insecure link such as an email that is not using PGP.   example HB Gary


it is *critical* to remember: a password can be changed if it is compromised,-- your biometrics -- fingerprints, irs scans, DNA and such -- cannot.   these are digitized by ID systems and the data serves in the same manner as any other password.   the two critical problems with biometric ID are (1) you cannot change your biometric "password", and (2) you cannot be anonymous

marketing and the NSA prefer that you *NOT* be anonymous

"Best Practice" documents for computers generally recommend changing passwords on a periodic basis.
Paladium
Paladium,
User Rank: Moderator
6/1/2015 | 7:11:16 AM
Re: I died a little inside...
I am much more of a pessimist here.  I am quite certain these people know full well the need for complex passwords but just don't care... until caught.  It's a matter of convenience.  Like so many other issues seen today from social, politics, sports, etc....  until people start being held accountable they will continue to act out of their own self interests.  Very sad but true.
RyanSepe
RyanSepe,
User Rank: Ninja
5/31/2015 | 11:29:32 PM
Re: I died a little inside...
@Joe. Very true. There is so much data behind the top worst passwords for the year being favorite sports teams, foods, or vacation spots. We see the statistics all the time. 

Here's the trick. How do we reach those people? The people who are not yet aware of the dangers these lack luster controls may bring. Much of the population utilize technology because it is a day-to-day mandate, but only a very small portion are tech savvy. How can we make the message more comprehensive.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:25:13 PM
Re: I died a little inside...
@Paladium: Of course, I fully expect Koskinen et al. to hold this up as reason why the IRS needs a higher budget.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:24:24 PM
Re: I died a little inside...
@Ryan: More the point, how many people's passwords are, simply, "pizza" -- or some variation thereon (for instance, "p1zz@")?
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/30/2015 | 11:36:03 PM
Re: I died a little inside...
I love how the federal government is pushing biometrics on the private sector with a universal ID (which will help it track citizens' private affairs), but they can't get their own security house in order to protect private citizen data from hackers.

Ridiculousness.
macker490
macker490,
User Rank: Ninja
5/30/2015 | 8:21:15 AM
Re: Secure Computing in a Compromised Environment
"Will Secure Communications become the norm?"   That it seems is the fifty-billion dollar question!

we have powerful interests vehimently opposed to security software.  Their concern is that it cripples their data gathering projects.   on the other hand we have a *serious* problem with hacking

which brings us to the interesting question: where's the "Tipping Point" ?  The opposition holds the "bully pulpit" but their argumnents are a bit less than forthright.    which leads me to suspect there will be a sea change in the near fiuture

interestingly version 2.1 of the Gnu Privacy Guard is now supporting Eliptic Curve Technology -- which helps to solve the questions about the use of large prime numbers used in traditional PGP .

interesting topic
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file