Experts vs not experts in security

If it's not ZDoom, it goes here.

Experts vs not experts in security

Postby DoomRater » Sun Jul 26, 2015 1:13 pm

http://lifehacker.com/how-the-experts-p ... socialflow

I'll admit, I didn't expect to see this much variance between experts and nonexperts... Probably not new information for some of you but still worth a look.
User avatar
DoomRater
Hi, I'm bob.
 
Joined: 28 Jul 2004
Location: WATR HQ
Discord: DoomRater#6308

Re: Experts vs not experts in security

Postby DaMan » Mon Jul 27, 2015 1:37 am

#1 should be nuke Flash from orbit but its been a whole week without an exploit so maybe its secure now.
User avatar
DaMan
100M club member
 
Joined: 01 Jan 2010

Re: Experts vs not experts in security

Postby Enjay » Mon Jul 27, 2015 3:24 am

Or, if you are in some work places I might happen to know...

  1. Force employees to make passwords so "strong" that they must contain all sorts of non-standard characters and be so long that hardly anyone can remember them so they write them down and leave them by the computer.
  2. Force employees to change their password every couple of weeks but because the passwords are so difficult to remember, almost everyone just keeps the same password and increments the last number by 1 each time, keeping a note of the current number by the computer.
  3. Have a number of different pieces of software all requiring similarly strong passwords so employees use the same one for each piece of software to minimise what they have to try and remember.
  4. Rarely update software because of the hassle of updating all the machines and getting permission from IT central.
  5. have a log-on screen that appears every time a person logs on which has a full-screen wall of tiny text which reminds people of their responsibilities when using the machines and which has an "Accept" button at the bottom which everyone presses automatically because no one has the time to read the wall of text.

    And for a bonus
  6. Auto-ban anything that looks vaguely like an executable file of any sort so that it wont run. I guess this is sensible enough in itself from a security point of view but the policies are such that getting permission to use software it such a convoluted process, and one likely to be disallowed by the decision makers, that useful, legitimate software cannot be brought in and used.

    And as a final bonus
  7. Send frequent emails to employees reminding them of their responsibilities which no one reads past the first line after realising "oh, it's one of those boring IT emails again". But remember folks, it's your responsibility.

Yeah, some work places make the non-expert in that article look like security geniuses.
User avatar
Enjay
Everyone is a moon, and has a dark side which he never shows to anybody. Twain
 
 
 
Joined: 15 Jul 2003
Location: Scotland

Re: Experts vs not experts in security

Postby DoomRater » Mon Jul 27, 2015 10:36 am

*head explode*
User avatar
DoomRater
Hi, I'm bob.
 
Joined: 28 Jul 2004
Location: WATR HQ
Discord: DoomRater#6308

Re: Experts vs not experts in security

Postby merlin86 » Mon Jul 27, 2015 11:58 am

Some nice things from various CLs (Clueless (L)users):
- The password is "return" . Not the word, the return key.
- A file named "password.txt" on the Windows Desktop.
- Very important VPN passwords/sites passwords/and so on on normal e-mails
- Antivirus disabled because "it's slow". Yep, corporation policy says the users must have administrator rights for their computers (but, thank to gods, not for domain)

Sometimes my BOFH part wish to have something like this :D :
Spoiler:


or just some pretty heavy LART... just kidding :D

Anyway did you hear about Hacking Team leak?
User avatar
merlin86
Somewhere between supercazzola and quintana
 
Joined: 29 Jan 2008
Discord: LuciferSam#7338
Twitch ID: LuciferSam86
Github ID: LuciferSam86
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: Yes (Using Development/Testing Version)
Graphics Processor: nVidia with Vulkan support

Re: Experts vs not experts in security

Postby Graf Zahl » Mon Jul 27, 2015 2:51 pm

Enjay wrote:Or, if you are in some work places I might happen to know...


Don't remind me. The parent company of one of my former employers had some ties to a security company and working with them was close to impossible because everything was locked down.

- We had no access to their servers because it was 'too dangerous'. But we needed some server connections to exchange data. So we put up our own one hosting lots of sensitive data. If someone had known there would have been Hell to pay...
- EMails blocked *ALL* attachments so it was completely impossible to work with these people with sanctioned means of communication. The end of the story was that important data had to be exchanged via PRIVATE EMail, circumventing all security measures that were put up to protect the company's assets. I do not think that this what these morons had in mind...

Sometimes I ask myself what kind of weed these security people were smoking...
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Experts vs not experts in security

Postby Enjay » Mon Jul 27, 2015 3:02 pm

Graf Zahl wrote:- EMails blocked *ALL* attachments so it was completely impossible to work with these people with sanctioned means of communication. The end of the story was that important data had to be exchanged via PRIVATE EMail, circumventing all security measures that were put up to protect the company's assets. I do not think that this what these morons had in mind...

Yes, I've experienced that one too. Of course, what we should really do in a situation like that is just comply with their system. Then work would grind to a halt and the system would have to be fixed. However, generally people want to get on and do what they are meant to do, so people end up inventing ways to circumvent the system instead.
User avatar
Enjay
Everyone is a moon, and has a dark side which he never shows to anybody. Twain
 
 
 
Joined: 15 Jul 2003
Location: Scotland

Re: Experts vs not experts in security

Postby DoomRater » Mon Jul 27, 2015 10:14 pm

Speaking of non-experts, how many of them will be knee-jerk boycotting Chrome and their refusal to load Java, Unity, and the like?
User avatar
DoomRater
Hi, I'm bob.
 
Joined: 28 Jul 2004
Location: WATR HQ
Discord: DoomRater#6308

Re: Experts vs not experts in security

Postby Graf Zahl » Tue Jul 28, 2015 12:40 am

Enjay wrote:Yes, I've experienced that one too. Of course, what we should really do in a situation like that is just comply with their system.


And then? Been there, done that. They blame YOU, not the system because management (read: men in suits and ties) doesn't understand how IT security is building obstacles. They see both issues in isolation and never realize how the one is blocking the other.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Experts vs not experts in security

Postby Enjay » Tue Jul 28, 2015 3:32 am

True, true. I don't know what the solution is though. Is it simply something that will eventually become less of an issue as people at all levels in a business become more IT familiar? Or is it merely a symptom of something that has always existed (and probably always will) that management tend to be out of touch with the current day-to-day nuts and bolts of doing the job that the business exists to do? As a person moves on and up, it really doesn't take long to become out of step with what is being done on "the shop floor" because things change and evolve so fast in many fields. To be generous to their side, keeping pace with shop-floor work can be a major task and they have their own set of daily pressures to worry about. Of course, actually listening to advice from people who know what is going on at shop floor level wouldn't hurt.

One thing seems clear to me though, by circumventing the system, the men in suits believe that the system is working because the job is getting done and their security system is, as far as they are concerned, in place and working. However, as you said, if you don't circumvent the system, then it becomes your fault that the job wasn't done. Equally, if you get caught bypassing the system, you're in hot water for not complying with company procedures. :?
User avatar
Enjay
Everyone is a moon, and has a dark side which he never shows to anybody. Twain
 
 
 
Joined: 15 Jul 2003
Location: Scotland

Re: Experts vs not experts in security

Postby merlin86 » Tue Jul 28, 2015 12:28 pm

Well if someone wants to break into a computer for retrieving data he will succeed.
Social engineering , advanced malware/rootkits, 0-day exploits, heck, in Italy they did even BGP Hijacking (source : http://blog.bofh.it/id_456 )
User avatar
merlin86
Somewhere between supercazzola and quintana
 
Joined: 29 Jan 2008
Discord: LuciferSam#7338
Twitch ID: LuciferSam86
Github ID: LuciferSam86
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: Yes (Using Development/Testing Version)
Graphics Processor: nVidia with Vulkan support

Re: Experts vs not experts in security

Postby DoomRater » Fri Jul 31, 2015 3:13 pm

On the topic of social engineering, the landline here got a call from someone claiming to be Microsoft saying my computer was sending errors to their server. When asked what errors were being sent, I didn't get a response on what error it was. So immediately I could rule out trying to get Windows 10 to work on a tablet (though had I been thinking a bit more clearly about the situation, I would have thrown on my character persona and tried to squeeze some info out instead of pressing to make sure to myself it wasn't legit). Once the person said it was due to malware on the computer I hung up. God I wish I had threatened to use "my company's assets" to make his life hard...

Also saw the Chrome message about Flash using the old API and not working anymore with Chrome on my miniPC. I re-enabled it for then since I wanted the computer to actually watch my Steven Universe, but the whole system needs a proper OS that isn't going to bug me about not being legit all day anyway.
User avatar
DoomRater
Hi, I'm bob.
 
Joined: 28 Jul 2004
Location: WATR HQ
Discord: DoomRater#6308

Re: Experts vs not experts in security

Postby merlin86 » Sat Aug 01, 2015 10:37 am

DoomRater wrote:On the topic of social engineering, the landline here got a call from someone claiming to be Microsoft saying my computer was sending errors to their server.


About those fake tech support things, watch this:
:D
User avatar
merlin86
Somewhere between supercazzola and quintana
 
Joined: 29 Jan 2008
Discord: LuciferSam#7338
Twitch ID: LuciferSam86
Github ID: LuciferSam86
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: Yes (Using Development/Testing Version)
Graphics Processor: nVidia with Vulkan support


Return to Off-Topic

Who is online

Users browsing this forum: Dr_Cosmobyte and 0 guests