February 17, 2014 at 8:29 pm
Comments posted to this topic are about the item The Security of Interconnected Systems
February 17, 2014 at 8:37 pm
the ability to protect the entire system is dependent on the weakest link
That needs to be underscored. No matter the system, there is a weakest link. Every network has a vulnerability. Hackers rely and prey on those weaknesses. Many of the weaknesses are easy enough to plug and reinforce - from a tech perspective. If the vulnerability is not plugged, what does that say about the people responsible for plugging those holes? They need a little training and exposure to the risk.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
February 18, 2014 at 1:41 am
Totally agree. Every time one tackles the weakest point then the security bar is raised. I always think that any system can be broken into. By making it as difficult as is economically possible at the very least you stop the vandals i.e. people following instructions and running other peoples scripts and kits.
As they say, when being chased by a bear you don't have to be faster than the bear just faster than the person you are with 😉
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 18, 2014 at 2:50 am
SQLRNNR (2/17/2014)
the ability to protect the entire system is dependent on the weakest link
That needs to be underscored. No matter the system, there is a weakest link.
The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.
February 18, 2014 at 3:27 am
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)
the ability to protect the entire system is dependent on the weakest link
That needs to be underscored. No matter the system, there is a weakest link.
The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.
What these surveys never seem to test is how many people deliberately hand over an incorrect password to get the $100. I would. Just like I have a lot of fun with cold callers when it suits me; one time I was informed that I was involved in a car crash so I asked if it was serious and whether I was alright, another time I was asked if I was involved in a car crash so I told them it was a fatal accident and that I was dead then there was the time when asking when I would be prepared for a survey for loft insulation and wall cavity inspection so said that there was no need as I used popcorn for loft insulation and that my house didn't have walls (my children were crying - due to laughing so much - at that one). Oh, and I have had fun with people offering "Nigerian" millions too 😀
My point is that these surveys are geared to provide these answers in order to shock.
Edit: Grammatical error!!!
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 18, 2014 at 3:30 am
Have a go at creating an email account on yahoo using the name Ronald Reagan and variants to create an email address from this name. The number of email addresses already used for this name is actually not that bad. They may even be legitimate.
I tried it with my name and was surprised how many email variants were already used. And I always thought that my name+surname was fairly unique. Now I need to find my twins in this world.
Here is another variant of this.
A friend of mine recently had his name.surname@gmail account hacked into by someone in Lagos Nigeria (he has never gotten within a 1000 km of Nigera). The bad guy must have hacked into a session where the password was still considered valid. Fortunately, the password wasn't changed because this requires specifying the old password. However, to create some confusion the hacker set the default language to Arabic and (here comes the good part) set the reply email to name.surname@yahoo.com. Then the hacker sent an email to all the contacts asking for money etc. etc. Anyone doing a reply sending this guy to hell or maybe just a simple question mark would very likely only see the name.surname and not catch the change from @gmail to @yahoo. Oh yes, at the end the hacker erased all contacts and emails.
So what is the next step? Contact Yahoo and Gmail? Forget it!
Gmail simply doesn't answer when you notify them of this.
Yahoo says it can't help with this because it violates their privacy policy. Thus this hacker is protected!
So what shall we call these emails that use your name?
Is it a form of identity theft?
The term email squatter also comes to my mind.
OK, it's time to find my twins.
I'll send them an email.
:hehe:
February 18, 2014 at 6:46 am
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)
the ability to protect the entire system is dependent on the weakest link
That needs to be underscored. No matter the system, there is a weakest link.
The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.
You really have to be careful when they ask you for your bank account so they can deposit the $100. 😉
Social engineering is a common way to hack. It's pretty easy to get someone to give up their user id and password.
"Hi. I'm Chad from Unintelligble Technologies. I am a contractor assigned to a project. May I please have your user name and password? I need to run some tests. This has been approved by your I.T. staff".
February 18, 2014 at 7:15 am
Companies looking to piggy back on 'freebie' consumer accounts (Twitter, Facebook, Youtube) are upset that identity could be compromised. Duh. All these 'freebie' assets available on the internet would not be free at all if chain of identity information was involved. Too much maintenance expense
One of the great things about the internet is that it became a playing field leveller... anyone can play. The price of that is that anyone can play.
...
-- FORTRAN manual for Xerox Computers --
February 18, 2014 at 7:40 am
Gary Varga (2/18/2014)
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)
the ability to protect the entire system is dependent on the weakest link
That needs to be underscored. No matter the system, there is a weakest link.
The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.
What these surveys never seem to test is how many people deliberately hand over an incorrect password to get the $100. I would. Just like I have a lot of fun with cold callers when it suits me; one time I was informed that I was involved in a car crash so I asked if it was serious and whether I was alright, another time I was asked if I was involved in a car crash so I told them it was a fatal accident and that I was dead then there was the time when asking when I would be prepared for a survey for loft insulation and wall cavity inspection so said that there was no need as I used popcorn for loft insulation and that my house didn't have walls (my children were crying - due to laughing so much - at that one). Oh, and I have had fun with people offering "Nigerian" millions too 😀
My point is that these surveys are geared to provide these answers in order to shock.
Edit: Grammatical error!!!
Thanks for the ideas for the cold callers.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
February 18, 2014 at 9:27 am
Maybe now is the right time to switch to multi-factor authentication on all your accounts. Well, at least on all accounts that allow this additional security measure. Notice that even with this facility in place, many companies do not have very strict policies on resetting your password on someone's request who claims to be you. How strict should companies be on these requests? Have you tried calling them to find out what they ask you? And checked how easy that information can be obtained by a malicious stranger? I do not have the solution in my hands, but I am very curious about your ideas about this. Sometimes someone will forget his or her password, but how do you combine service with security in these cases? It is hard ...
February 18, 2014 at 10:23 am
Yes, we have newer rules to add to the old "never reuse your password" and "never reuse your security question" rules - "never reuse a credit card number".
Non-refillable Visa gift cards purchased with cash are your friend; use a different one for each account, and there should be no real way for an attacker to get from credit card number on site A to credit card number on site B.
Different refillable Visa gift cards are at least a little better than the same credit card number - it requires the attacker to go through whatever account is refilling both (all) the gift cards, so it's up to you whether or not you trust your bank, the gift card company, and whoever's in the middle (and who everyone sells the division doing the work to) :blink:
February 18, 2014 at 10:48 am
I give my credit card company a substantial amount of money by using the card and letting them collect fees for the transaction. For that consideration, I leave it up to them to dictate what should be done about fraud. If they want me to use a different card number for every vendor or transaction, I would, but they don't. It isn't where the fraud is.
With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?
February 18, 2014 at 11:10 am
Robert.Sterbal (2/18/2014)
With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?
Well if you go to the bottom of a gmail account there us a "Last account activity: 1 hour ago Details" link. It just tracks the IP and location that the account was accessed from in the recent past.
Even that simple change could help. Once my gmail account was hacked. They sent a spam from my gmail account to my work e-mail so I caught it quickly. The account had been accessed from India. That told me it wasn't a casual mistake. Even that simple change could help.
----------------
Jim P.
A little bit of this and a little byte of that can cause bloatware.
February 19, 2014 at 2:26 am
Jim P. (2/18/2014)
Robert.Sterbal (2/18/2014)
With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?Well if you go to the bottom of a gmail account there us a "Last account activity: 1 hour ago Details" link. It just tracks the IP and location that the account was accessed from in the recent past.
I'm pretty sure my online banking and credit card accounts all do that--they have a note saying "You last logged in on X". They don't give full details of what transactions were carried out then, mind you.
Security varies between those accounts quite significantly, though--the bank account requires a one-time authentication using my debit card and PIN number (using a card reader device they supplied) as well as my login details; the first credit card account requires a username, password *and* PIN; but the other credit card is just plain username and password. OK, it does the usual trick of asking you to enter certain letters from your password rather than just typing the whole thing, but I actually think that's counterproductive because it encourages you to choose a shorter password (can you imagine trying to mentally count through your lovely secure 23-letter password to find the 22nd letter?).
February 19, 2014 at 2:45 am
Authentication is a problem currently without a suitable solution.
That is what I think. I have yet to use a system that succeeds on the two criteria required:
1) Secure.
2) Usable.
For the record, I dislike the card readers. My bank issues one where you can check the PIN as many times as you like and it will helpfully tell you whether you got it right or not. OK there are 9999 combinations but I bet some smart person could pull it apart and automate the check getting the PIN within a couple of hours at most. Maybe minutes or even seconds.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply