Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

The Security of Interconnected Systems Expand / Collapse
Author
Message
Posted Monday, February 17, 2014 8:29 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 10:19 AM
Points: 31,082, Visits: 15,531
Comments posted to this topic are about the item The Security of Interconnected Systems






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1542341
Posted Monday, February 17, 2014 8:37 PM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Today @ 10:19 AM
Points: 17,734, Visits: 15,600

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link. Every network has a vulnerability. Hackers rely and prey on those weaknesses. Many of the weaknesses are easy enough to plug and reinforce - from a tech perspective. If the vulnerability is not plugged, what does that say about the people responsible for plugging those holes? They need a little training and exposure to the risk.




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1542344
Posted Tuesday, February 18, 2014 1:41 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:25 AM
Points: 5,473, Visits: 3,263
Totally agree. Every time one tackles the weakest point then the security bar is raised. I always think that any system can be broken into. By making it as difficult as is economically possible at the very least you stop the vandals i.e. people following instructions and running other peoples scripts and kits.

As they say, when being chased by a bear you don't have to be faster than the bear just faster than the person you are with


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1542412
Posted Tuesday, February 18, 2014 2:50 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 7:18 AM
Points: 1,594, Visits: 5,633
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.
Post #1542430
Posted Tuesday, February 18, 2014 3:27 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:25 AM
Points: 5,473, Visits: 3,263
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.


What these surveys never seem to test is how many people deliberately hand over an incorrect password to get the $100. I would. Just like I have a lot of fun with cold callers when it suits me; one time I was informed that I was involved in a car crash so I asked if it was serious and whether I was alright, another time I was asked if I was involved in a car crash so I told them it was a fatal accident and that I was dead then there was the time when asking when I would be prepared for a survey for loft insulation and wall cavity inspection so said that there was no need as I used popcorn for loft insulation and that my house didn't have walls (my children were crying - due to laughing so much - at that one). Oh, and I have had fun with people offering "Nigerian" millions too

My point is that these surveys are geared to provide these answers in order to shock.

Edit: Grammatical error!!!


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1542443
Posted Tuesday, February 18, 2014 3:30 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, September 19, 2014 11:59 PM
Points: 542, Visits: 2,122
Have a go at creating an email account on yahoo using the name Ronald Reagan and variants to create an email address from this name. The number of email addresses already used for this name is actually not that bad. They may even be legitimate.
I tried it with my name and was surprised how many email variants were already used. And I always thought that my name+surname was fairly unique. Now I need to find my twins in this world.

Here is another variant of this.
A friend of mine recently had his name.surname@gmail account hacked into by someone in Lagos Nigeria (he has never gotten within a 1000 km of Nigera). The bad guy must have hacked into a session where the password was still considered valid. Fortunately, the password wasn't changed because this requires specifying the old password. However, to create some confusion the hacker set the default language to Arabic and (here comes the good part) set the reply email to name.surname@yahoo.com. Then the hacker sent an email to all the contacts asking for money etc. etc. Anyone doing a reply sending this guy to hell or maybe just a simple question mark would very likely only see the name.surname and not catch the change from @gmail to @yahoo. Oh yes, at the end the hacker erased all contacts and emails.

So what is the next step? Contact Yahoo and Gmail? Forget it!
Gmail simply doesn't answer when you notify them of this.
Yahoo says it can't help with this because it violates their privacy policy. Thus this hacker is protected!

So what shall we call these emails that use your name?
Is it a form of identity theft?
The term email squatter also comes to my mind.

OK, it's time to find my twins.
I'll send them an email.
Post #1542444
Posted Tuesday, February 18, 2014 6:46 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 10:14 AM
Points: 2,582, Visits: 3,887
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.


You really have to be careful when they ask you for your bank account so they can deposit the $100.

Social engineering is a common way to hack. It's pretty easy to get someone to give up their user id and password.

"Hi. I'm Chad from Unintelligble Technologies. I am a contractor assigned to a project. May I please have your user name and password? I need to run some tests. This has been approved by your I.T. staff".
Post #1542541
Posted Tuesday, February 18, 2014 7:15 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Tuesday, September 2, 2014 8:37 AM
Points: 751, Visits: 1,917
Companies looking to piggy back on 'freebie' consumer accounts (Twitter, Facebook, Youtube) are upset that identity could be compromised. Duh. All these 'freebie' assets available on the internet would not be free at all if chain of identity information was involved. Too much maintenance expense

One of the great things about the internet is that it became a playing field leveller... anyone can play. The price of that is that anyone can play.


...

-- FORTRAN manual for Xerox Computers --
Post #1542556
Posted Tuesday, February 18, 2014 7:40 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Today @ 10:19 AM
Points: 17,734, Visits: 15,600
Gary Varga (2/18/2014)
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.


What these surveys never seem to test is how many people deliberately hand over an incorrect password to get the $100. I would. Just like I have a lot of fun with cold callers when it suits me; one time I was informed that I was involved in a car crash so I asked if it was serious and whether I was alright, another time I was asked if I was involved in a car crash so I told them it was a fatal accident and that I was dead then there was the time when asking when I would be prepared for a survey for loft insulation and wall cavity inspection so said that there was no need as I used popcorn for loft insulation and that my house didn't have walls (my children were crying - due to laughing so much - at that one). Oh, and I have had fun with people offering "Nigerian" millions too

My point is that these surveys are geared to provide these answers in order to shock.

Edit: Grammatical error!!!


Thanks for the ideas for the cold callers.




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1542573
Posted Tuesday, February 18, 2014 9:27 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: 2 days ago @ 7:48 AM
Points: 67, Visits: 433
Maybe now is the right time to switch to multi-factor authentication on all your accounts. Well, at least on all accounts that allow this additional security measure. Notice that even with this facility in place, many companies do not have very strict policies on resetting your password on someone's request who claims to be you. How strict should companies be on these requests? Have you tried calling them to find out what they ask you? And checked how easy that information can be obtained by a malicious stranger? I do not have the solution in my hands, but I am very curious about your ideas about this. Sometimes someone will forget his or her password, but how do you combine service with security in these cases? It is hard ...
Post #1542649
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse