Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


The Security of Interconnected Systems


The Security of Interconnected Systems

Author
Message
Steve Jones
Steve Jones
SSC-Forever
SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)

Group: Administrators
Points: 42034 Visits: 18876
Comments posted to this topic are about the item The Security of Interconnected Systems

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)

Group: General Forum Members
Points: 23493 Visits: 18271

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link. Every network has a vulnerability. Hackers rely and prey on those weaknesses. Many of the weaknesses are easy enough to plug and reinforce - from a tech perspective. If the vulnerability is not plugged, what does that say about the people responsible for plugging those holes? They need a little training and exposure to the risk.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

Gary Varga
Gary Varga
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10616 Visits: 6352
Totally agree. Every time one tackles the weakest point then the security bar is raised. I always think that any system can be broken into. By making it as difficult as is economically possible at the very least you stop the vandals i.e. people following instructions and running other peoples scripts and kits.

As they say, when being chased by a bear you don't have to be faster than the bear just faster than the person you are with ;-)

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
paul.knibbs
paul.knibbs
SSCrazy
SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)

Group: General Forum Members
Points: 2144 Visits: 6223
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.
Gary Varga
Gary Varga
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10616 Visits: 6352
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.


What these surveys never seem to test is how many people deliberately hand over an incorrect password to get the $100. I would. Just like I have a lot of fun with cold callers when it suits me; one time I was informed that I was involved in a car crash so I asked if it was serious and whether I was alright, another time I was asked if I was involved in a car crash so I told them it was a fatal accident and that I was dead then there was the time when asking when I would be prepared for a survey for loft insulation and wall cavity inspection so said that there was no need as I used popcorn for loft insulation and that my house didn't have walls (my children were crying - due to laughing so much - at that one). Oh, and I have had fun with people offering "Nigerian" millions too :-D

My point is that these surveys are geared to provide these answers in order to shock.

Edit: Grammatical error!!!

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Michael Meierruth
Michael Meierruth
Right there with Babe
Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)Right there with Babe (748 reputation)

Group: General Forum Members
Points: 748 Visits: 2513
Have a go at creating an email account on yahoo using the name Ronald Reagan and variants to create an email address from this name. The number of email addresses already used for this name is actually not that bad. They may even be legitimate.
I tried it with my name and was surprised how many email variants were already used. And I always thought that my name+surname was fairly unique. Now I need to find my twins in this world.

Here is another variant of this.
A friend of mine recently had his name.surname@gmail account hacked into by someone in Lagos Nigeria (he has never gotten within a 1000 km of Nigera). The bad guy must have hacked into a session where the password was still considered valid. Fortunately, the password wasn't changed because this requires specifying the old password. However, to create some confusion the hacker set the default language to Arabic and (here comes the good part) set the reply email to name.surname@yahoo.com. Then the hacker sent an email to all the contacts asking for money etc. etc. Anyone doing a reply sending this guy to hell or maybe just a simple question mark would very likely only see the name.surname and not catch the change from @gmail to @yahoo. Oh yes, at the end the hacker erased all contacts and emails.

So what is the next step? Contact Yahoo and Gmail? Forget it!
Gmail simply doesn't answer when you notify them of this.
Yahoo says it can't help with this because it violates their privacy policy. Thus this hacker is protected!

So what shall we call these emails that use your name?
Is it a form of identity theft?
The term email squatter also comes to my mind.

OK, it's time to find my twins.
I'll send them an email.
Hehe
OCTom
OCTom
SSCrazy
SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)

Group: General Forum Members
Points: 2867 Visits: 4152
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.


You really have to be careful when they ask you for your bank account so they can deposit the $100. ;-)

Social engineering is a common way to hack. It's pretty easy to get someone to give up their user id and password.

"Hi. I'm Chad from Unintelligble Technologies. I am a contractor assigned to a project. May I please have your user name and password? I need to run some tests. This has been approved by your I.T. staff".
jay-h
jay-h
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1165 Visits: 2257
Companies looking to piggy back on 'freebie' consumer accounts (Twitter, Facebook, Youtube) are upset that identity could be compromised. Duh. All these 'freebie' assets available on the internet would not be free at all if chain of identity information was involved. Too much maintenance expense

One of the great things about the internet is that it became a playing field leveller... anyone can play. The price of that is that anyone can play.

...

-- FORTRAN manual for Xerox Computers --
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)

Group: General Forum Members
Points: 23493 Visits: 18271
Gary Varga (2/18/2014)
paul.knibbs (2/18/2014)
SQLRNNR (2/17/2014)

the ability to protect the entire system is dependent on the weakest link


That needs to be underscored. No matter the system, there is a weakest link.


The weakest link is almost invariably the people. Wasn't there a survey done recently where something like a third of the participants said they'd tell someone their password for $100? And that's ignoring the various social engineering scams that can be used to get someone to inadvertently give out information they shouldn't.


What these surveys never seem to test is how many people deliberately hand over an incorrect password to get the $100. I would. Just like I have a lot of fun with cold callers when it suits me; one time I was informed that I was involved in a car crash so I asked if it was serious and whether I was alright, another time I was asked if I was involved in a car crash so I told them it was a fatal accident and that I was dead then there was the time when asking when I would be prepared for a survey for loft insulation and wall cavity inspection so said that there was no need as I used popcorn for loft insulation and that my house didn't have walls (my children were crying - due to laughing so much - at that one). Oh, and I have had fun with people offering "Nigerian" millions too :-D

My point is that these surveys are geared to provide these answers in order to shock.

Edit: Grammatical error!!!


Thanks for the ideas for the cold callers.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

vliet
vliet
SSC-Enthusiastic
SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)

Group: General Forum Members
Points: 124 Visits: 752
Maybe now is the right time to switch to multi-factor authentication on all your accounts. Well, at least on all accounts that allow this additional security measure. Notice that even with this facility in place, many companies do not have very strict policies on resetting your password on someone's request who claims to be you. How strict should companies be on these requests? Have you tried calling them to find out what they ask you? And checked how easy that information can be obtained by a malicious stranger? I do not have the solution in my hands, but I am very curious about your ideas about this. Sometimes someone will forget his or her password, but how do you combine service with security in these cases? It is hard ...
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search