Page 1 of 1

Experts vs not experts in security

PostPosted: Sun Jul 26, 2015 1:13 pm
by DoomRater
http://lifehacker.com/how-the-experts-p ... socialflow

I'll admit, I didn't expect to see this much variance between experts and nonexperts... Probably not new information for some of you but still worth a look.

Re: Experts vs not experts in security

PostPosted: Mon Jul 27, 2015 1:37 am
by DaMan
#1 should be nuke Flash from orbit but its been a whole week without an exploit so maybe its secure now.

Re: Experts vs not experts in security

PostPosted: Mon Jul 27, 2015 3:24 am
by Enjay
Or, if you are in some work places I might happen to know...

  1. Force employees to make passwords so "strong" that they must contain all sorts of non-standard characters and be so long that hardly anyone can remember them so they write them down and leave them by the computer.
  2. Force employees to change their password every couple of weeks but because the passwords are so difficult to remember, almost everyone just keeps the same password and increments the last number by 1 each time, keeping a note of the current number by the computer.
  3. Have a number of different pieces of software all requiring similarly strong passwords so employees use the same one for each piece of software to minimise what they have to try and remember.
  4. Rarely update software because of the hassle of updating all the machines and getting permission from IT central.
  5. have a log-on screen that appears every time a person logs on which has a full-screen wall of tiny text which reminds people of their responsibilities when using the machines and which has an "Accept" button at the bottom which everyone presses automatically because no one has the time to read the wall of text.

    And for a bonus
  6. Auto-ban anything that looks vaguely like an executable file of any sort so that it wont run. I guess this is sensible enough in itself from a security point of view but the policies are such that getting permission to use software it such a convoluted process, and one likely to be disallowed by the decision makers, that useful, legitimate software cannot be brought in and used.

    And as a final bonus
  7. Send frequent emails to employees reminding them of their responsibilities which no one reads past the first line after realising "oh, it's one of those boring IT emails again". But remember folks, it's your responsibility.

Yeah, some work places make the non-expert in that article look like security geniuses.

Re: Experts vs not experts in security

PostPosted: Mon Jul 27, 2015 10:36 am
by DoomRater
*head explode*

Re: Experts vs not experts in security

PostPosted: Mon Jul 27, 2015 11:58 am
by merlin86
Some nice things from various CLs (Clueless (L)users):
- The password is "return" . Not the word, the return key.
- A file named "password.txt" on the Windows Desktop.
- Very important VPN passwords/sites passwords/and so on on normal e-mails
- Antivirus disabled because "it's slow". Yep, corporation policy says the users must have administrator rights for their computers (but, thank to gods, not for domain)

Sometimes my BOFH part wish to have something like this :D :
Spoiler:


or just some pretty heavy LART... just kidding :D

Anyway did you hear about Hacking Team leak?

Re: Experts vs not experts in security

PostPosted: Mon Jul 27, 2015 2:51 pm
by Graf Zahl
Enjay wrote:Or, if you are in some work places I might happen to know...


Don't remind me. The parent company of one of my former employers had some ties to a security company and working with them was close to impossible because everything was locked down.

- We had no access to their servers because it was 'too dangerous'. But we needed some server connections to exchange data. So we put up our own one hosting lots of sensitive data. If someone had known there would have been Hell to pay...
- EMails blocked *ALL* attachments so it was completely impossible to work with these people with sanctioned means of communication. The end of the story was that important data had to be exchanged via PRIVATE EMail, circumventing all security measures that were put up to protect the company's assets. I do not think that this what these morons had in mind...

Sometimes I ask myself what kind of weed these security people were smoking...

Re: Experts vs not experts in security

PostPosted: Mon Jul 27, 2015 3:02 pm
by Enjay
Graf Zahl wrote:- EMails blocked *ALL* attachments so it was completely impossible to work with these people with sanctioned means of communication. The end of the story was that important data had to be exchanged via PRIVATE EMail, circumventing all security measures that were put up to protect the company's assets. I do not think that this what these morons had in mind...

Yes, I've experienced that one too. Of course, what we should really do in a situation like that is just comply with their system. Then work would grind to a halt and the system would have to be fixed. However, generally people want to get on and do what they are meant to do, so people end up inventing ways to circumvent the system instead.

Re: Experts vs not experts in security

PostPosted: Mon Jul 27, 2015 10:14 pm
by DoomRater
Speaking of non-experts, how many of them will be knee-jerk boycotting Chrome and their refusal to load Java, Unity, and the like?

Re: Experts vs not experts in security

PostPosted: Tue Jul 28, 2015 12:40 am
by Graf Zahl
Enjay wrote:Yes, I've experienced that one too. Of course, what we should really do in a situation like that is just comply with their system.


And then? Been there, done that. They blame YOU, not the system because management (read: men in suits and ties) doesn't understand how IT security is building obstacles. They see both issues in isolation and never realize how the one is blocking the other.

Re: Experts vs not experts in security

PostPosted: Tue Jul 28, 2015 3:32 am
by Enjay
True, true. I don't know what the solution is though. Is it simply something that will eventually become less of an issue as people at all levels in a business become more IT familiar? Or is it merely a symptom of something that has always existed (and probably always will) that management tend to be out of touch with the current day-to-day nuts and bolts of doing the job that the business exists to do? As a person moves on and up, it really doesn't take long to become out of step with what is being done on "the shop floor" because things change and evolve so fast in many fields. To be generous to their side, keeping pace with shop-floor work can be a major task and they have their own set of daily pressures to worry about. Of course, actually listening to advice from people who know what is going on at shop floor level wouldn't hurt.

One thing seems clear to me though, by circumventing the system, the men in suits believe that the system is working because the job is getting done and their security system is, as far as they are concerned, in place and working. However, as you said, if you don't circumvent the system, then it becomes your fault that the job wasn't done. Equally, if you get caught bypassing the system, you're in hot water for not complying with company procedures. :?

Re: Experts vs not experts in security

PostPosted: Tue Jul 28, 2015 12:28 pm
by merlin86
Well if someone wants to break into a computer for retrieving data he will succeed.
Social engineering , advanced malware/rootkits, 0-day exploits, heck, in Italy they did even BGP Hijacking (source : http://blog.bofh.it/id_456 )

Re: Experts vs not experts in security

PostPosted: Fri Jul 31, 2015 3:13 pm
by DoomRater
On the topic of social engineering, the landline here got a call from someone claiming to be Microsoft saying my computer was sending errors to their server. When asked what errors were being sent, I didn't get a response on what error it was. So immediately I could rule out trying to get Windows 10 to work on a tablet (though had I been thinking a bit more clearly about the situation, I would have thrown on my character persona and tried to squeeze some info out instead of pressing to make sure to myself it wasn't legit). Once the person said it was due to malware on the computer I hung up. God I wish I had threatened to use "my company's assets" to make his life hard...

Also saw the Chrome message about Flash using the old API and not working anymore with Chrome on my miniPC. I re-enabled it for then since I wanted the computer to actually watch my Steven Universe, but the whole system needs a proper OS that isn't going to bug me about not being legit all day anyway.

Re: Experts vs not experts in security

PostPosted: Sat Aug 01, 2015 10:37 am
by merlin86
DoomRater wrote:On the topic of social engineering, the landline here got a call from someone claiming to be Microsoft saying my computer was sending errors to their server.


About those fake tech support things, watch this:
:D