Forgot your password?
typodupeerror
Security IT

How To Suck At Information Security 198

Posted by kdawson
from the words-to-the-wise dept.
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
This discussion has been archived. No new comments can be posted.

How To Suck At Information Security

Comments Filter:
  • by NotPeteMcCabe (833508) on Saturday January 17, 2009 @03:24PM (#26499153)
    "Now if I could only find a way to get management to read it."

    I'm sure if you ask them to, they will.
    • by syousef (465911) on Saturday January 17, 2009 @03:52PM (#26499397) Journal

      I'm sure if you ask them to, they will.

      I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.

      • by Cally (10873) on Saturday January 17, 2009 @06:56PM (#26501003) Homepage
        Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.
    • by an.echte.trilingue (1063180) on Saturday January 17, 2009 @04:20PM (#26499645) Homepage
      The management is everything.

      I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.

      Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.

      For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.

      Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.

      I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.

      God, I can't wait till I graduate.
      • by Creepy Crawler (680178) on Saturday January 17, 2009 @06:22PM (#26500653)

        Too true. I've seen similar to what you say. However, in my education, it is not been book driven and learned in a scholastic setting. In fact, I have no degree to speak of.

        First thing is, as you said, a sane security policy. 1 email acct, same login/passwd, security-unconscious snooping owner all causes these horrendous problems. However, I'd also highlight one very nasty catchup: licensure. I'm guessing that he (the owner) bought the machines piecemeal as he needed them. And he probably bought them from different outfits, no less.

        One rogue user could turn them in to the Boy Sco^H^H^H^H^H^H^H BSA. Go look at that guitar string maker up north of us, here in Indiana. He went the Linux route with smart terminals from the old machines incapable of running Windows NewVersion. Still, he avoided, after being sued, from ever again allowing that kind of liability in their building again.

        As per the snooping email: explain to him that hidden snooping will let him observe without alerting the user of being watched. On your side, create an account, and duplicate every users email settings into that account. Make it only receivable, and delete after 10 days (unless you have a beefy mailserver, which I doubt). I'd say it'd be stupid not to have a nice RAID1+0 server with 1-3 TB storage with Linux, admined via Webmin, but those things cost. I'd wait on that kind of proposal unless you can show immediate gain for him and his employees.

        And on the desktop snooping end, install VNC (if you use windows) as a service and "ignore remote mouse/keyboard" so he can watch as he pleases with only very minimal lag seen on the user end. The linux side, if you can convince him to switch, is just as easy. It uses x11vnc and is a one-line command. If you're running KDE, you can make a script that shows a pretty dialog box, asks for computer (ip/name) and logs in via ssh. The linux one is by fair more secure, but requires switching.

        And on the snooping, I'd also recommend DansGuardian so he can ban "bad sites", allow them for himself, and have a log of bad sites for each user. This could easily be used as a tool to remove bad employees, in that they violate a "No porn/gambling/auction" sites, it can selectively be enforced. Yes, I do consider a tool like that to be unethical, but he makes the hiring/firing decisions: not you. The more power you can land in his control, the better for you as you support it.

        And the Stupid Admin issue: once you put that much control in his fingertips, he will not let it go. Explain to him that if it would be disasterous if his users got a hold on this power.. In essence, scare the bejezzus out of him. Trust me, it works.

        • If it makes you feel any better, my degree is in International Relations. IT is one of those hobby turned vocation things.

          Also, licensing is no longer an issue, although it once was. We are a 100% linux shop except for the accountant and the graphic artist, who have some software requirements that linux does not meet (btw, if anybody knows of a drop in linux replacement for winbooks that would be really helpful; I'm willing to pay).

          Anyway, for the boss it really is not about snooping, its about lazi
          • Re: (Score:3, Insightful)

            by SpzToid (869795) *

            If you have a cheap router on the dd-wrt supported list, you could VLAN the ethernet segment used by your boss, to minimize risk to that segment. It might also provide useful for an 'I told you so' moment later, if he was segmented away somehow.

            Also, what about setting this guy up with a thumb drive scanner, as a more secure method of password entry than now? Certain HP notebooks have this built on the right side.

            If you can't run Winbooks under WINE in something like Ubuntu, then you can try running Windows

      • For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.

        He doesn't need their email passwords to send email as them... all he needs is an open SMTP relay and a basic knowledge of his email settings. Of course I think he probably doesn't have that either.

        Small business is all the same. I've colleagues who have been in similar scenarios at small companies.

        I came from a company that was exactly the same. There was no IT security. The boss invited all his mates round on the weekends to thrash the high speed Internet connection and play games. They brought virus

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        You are in a position where failure is guaranteed.

        This failure will be blamed on you by exactly the man who's ignoring it.

        He already thinks he's better at the jobs of everyone he's hired than they are; and has the right to subvert their autonomy and act as them at will.

        Anything that happens positively in this environment will be credited to himself, and anything bad that happens will be blamed on whomever was assigned it.

        Get Out Now. I wish I were joking. Leave while you are on good terms and can just sa

    • Re: (Score:3, Funny)

      by owlnation (858981)

      "Now if I could only find a way to get management to read it."

      Pictures and bullet points. That's your way in. We all know management can't read.

  • Typo? (Score:3, Informative)

    by Jack9 (11421) on Saturday January 17, 2009 @03:24PM (#26499159)

    Security:

    * Focus on widgets, while omitting to consider the importance of maintaining accountability.

    Can someone clarify?

    • Re:Typo? (Score:5, Informative)

      by mpapet (761907) on Saturday January 17, 2009 @03:46PM (#26499331) Homepage

      * Focus on widgets, while omitting to consider the importance of maintaining accountability.

      This basically means having lots of things for admins to click on and make reports with. None of which actually improve security. IE7's "security" features and Microsoft's UAC are two good examples.

    • Re:Typo? (Score:5, Interesting)

      by Gazzonyx (982402) on Saturday January 17, 2009 @03:50PM (#26499365)
      If I'm reading it correctly, they mean;
      "Seeking a non-existent silver bullet (shiny object syndrome) while not considering that part of the solution is to follow known good practices".
    • Re:Typo? (Score:5, Insightful)

      by Opportunist (166417) on Saturday January 17, 2009 @04:23PM (#26499663)

      Basically it means "not realizing that security is the minimum of the security of the system and the security of the staff".

      Managers want to buy security. I've seen it time and again. They want a box from you, a piece of software, something they can plug in and be secure. It is usually incredibly hard to explain to them that security isn't just making the system secure but also to increase security awareness of their staff (and their own too!) because they have to have allowed access to the system, and if they are not security conscious, this legal access to the system can be used to gain illegal access.

      Security is the minimum of system and personnell ability. The minimum. Not the average. A system that allowed perfect security is worthless if used by people who open up holes in that security. Likewise, the best security people cannot lock down a system that by its very design is prone to security holes.

      And when you finally got that into their skulls, try to explain that security is not a product but a process because the requirements to stay secure once you reach a secure level change pretty quickly.

    • Re:Typo? (Score:5, Insightful)

      by anon mouse-cow-aard (443646) on Saturday January 17, 2009 @05:08PM (#26500017) Journal
      how many meetings have I been in where someone would say... "why bother configuring a router as a firewall, just get a Cisco PIX and it's all set for you..." -- folks who think the device will give you security regardless of how it is used. We need an IDS, an IPS, a web-filter, a layer 7 filter, in-line, out-of-band, etc... meanwhile the entire corporate network is flat, wireless is bridged into the copper nets on many sites, and folks are using 'drowssap' to secure half the accounts, and systems are two or three years behind current patch levels. It doesn't matter what stuff you buy if you don't know what you are doing, and don't follow through on the basics first.
    • by quanticle (843097)

      In other words, "All the antivirus, firewalls, and intrusion detection systems in the world won't help, if you don't hold your users (and your admins) accountable for their actions."

  • well.. (Score:3, Funny)

    by Anonymous Coward on Saturday January 17, 2009 @03:26PM (#26499169)
    First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits
    • Re: (Score:3, Funny)

      by couchslug (175151)

      "First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits."

      I'll get with HR about creating a position, but you're SO hired!
      If you bring a resume, make sure it's absorbent.

  • by Gothmolly (148874) on Saturday January 17, 2009 @03:29PM (#26499197)

    I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.

    This thing nails it.

    • by khasim (1285) <brandioch.conner@gmail.com> on Saturday January 17, 2009 @03:41PM (#26499295)

      Because most of the things in that list fall under "CYA" for the CxO's.

      They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.

      Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.

      If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.

      They have successfully covered their asses and their jobs are the only things that are secure.

      • by plover (150551) *

        One good fix for much of this is the appointment of a CISO. By having someone who "gets it" at the top level, with a budget and a staff and the authority to wield them. It's also critical to have someone who can tell the other CxOs "the policy applies to everyone starting with us, because it won't work if we don't set the example. A failure of security at our level could cost us $x million per day."

        I work for a $LARGE_US_CORPORATION and our CEO has to swipe his badge to get into the buildings, same as

    • Re: (Score:3, Funny)

      I hate that bank!! I lost $A_LOTTA_FUCKIN_MONEY in one of their ATM machines...

    • by sholsinger (1131365) <sholsinger@gmail.com> on Saturday January 17, 2009 @04:54PM (#26499899) Homepage

      I work for $LARGE_US_DEFENSE_INSTALLATION where the policies are in place, nobody follows them, and the 2 guys that are in charge of risk and infosec are so overloaded with "password reset" requests that they can't even look at the performance of those policies. Furthermore, if they wanted to change something, they'd have to wait for a bi-weekly configuration control board meeting, where the four other division chiefs would quickly shut down any project they propose because it would be too much work. and their people already have too much on their plates, etc... you name it. Its happening there.

  • Just work for the bank that holds my mortgage. Believe me, they suck when it comes to security.
  • by kbrasee (1379057) on Saturday January 17, 2009 @03:31PM (#26499225) Homepage
    I know a guy who worked at a place where the system saved passwords as plaintext. So I guess that's the first mistake. He did a query, and 75% of the passwords were in fact "password".
    • by painehope (580569) on Saturday January 17, 2009 @03:40PM (#26499281)

      I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users and the head of IT (I was in another department, but had root access since I ran the majority of the gear).

      Needless to say, it didn't make me very popular. But it sure as fuck made my point, both to management and to the users.

      • by khasim (1285) <brandioch.conner@gmail.com> on Saturday January 17, 2009 @03:49PM (#26499359)

        They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.

        _9%january
        _9%february
        _9%march

        Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.

        People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.

        • by fuzzyfuzzyfungus (1223518) on Saturday January 17, 2009 @04:07PM (#26499535) Journal
          On the plus side, if the users are doing whatever will get them past the scan, their accounts are now immune to dictionary attacks using a standard *nix cracking utility.

          Hardly perfect, but it has its virtues.
        • by Neoprofin (871029) <neoprofin&hotmail,com> on Saturday January 17, 2009 @04:09PM (#26499555)
          Pardon, I broke the security intentionally when they instituted all sorts of requirements for the passwords. My original password was fine, but then they added that it must change every 30 days, well I hope they like easy to crack passwords.

          1qaz!QAZ
          2wsx@WSX
          3edc#EDC
          4rfv$RFV

          They look great, but I guarantee that after one time watching me log everything is forever compromised. Good thing you didn't let me keep my easy (for me) to remember strong password.
          • by commodoresloat (172735) on Saturday January 17, 2009 @04:48PM (#26499851)

            You're right -- these passwords are easy to crack, once you post them to slashdot.

          • One quarterly password scheme I've heard of is to pick a city that has 4 major sports teams, and rotate through the year with the current team's name followed by the number of the year's season being played.

          • Wouldn't it make more sense for security to use two different rows of keys?

            Like:
            1qaz@WSX

            Would probably be harder for someone shoulder surfing to figure out exactly what it is you did, too.

            • by Neoprofin (871029)
              That's the point, I had a nice secure password that never would have caused them any problems, if they think the best way to get security is to force me to think up and remember a new password every 30 days then my solution is to become as insecure as possible to offset how incredibly annoyed I am.

              If they catch on to that one I'll just put it on a post-it on my machine.
              • Ah, you're trying to be an ass, because they're idiots. Got it.

                But seriously...that's as insecure as you could get?

                Maybe 1a1a1a1a would be a little more insecure.
                Or 1a!A1a!A, if you need symbols in your passwords.
                What are you minimum/maximum length restrictions?

                You could always try "SÄ"cμÑ"Ñ-ïá 1$ ÃzÄ...ÐÅ£ÅY" if you really want to be obnoxious. Meets all requirements I've ever seen.

                Upper case? Check.
                Lower case? Check.
                Numbers? Check.
                Spe

                • Damn.

                  Stupid unicode that isn't.

                  That was supposed to say "Security is Pants", in all sorts of Greek, Arabic, and Cyrillic characters.

          • Great tip! I'll remember those!

            Maybe I can return the favor.

            I have promoted some takedown of the "fear mentality" that's crept up lately. When we had this discussion once at work, I said "We're just not that interesting for the world class guys. You guys *watched* me log in and you don't recall my password. It's fine."

            While yours is visually too easy, a mnemonic pattern is a great source of passwords that are elemtarily robust to cold attacks. If someone in the glass office decides it's worth going hyper ab

        • by Skater (41976)

          At work I have something like 15-18 passwords to deal with, all changeable every 60 days. I use four each day just to log in (although two of them are the same) to my machine. That doesn't include logging into up to three different servers all with different passwords. Add various company portals, document repositories, and web interfaces to things like my personnel data, and it's just too many passwords to remember.

          Just about all of these are 60 day intervals, and of course they aren't changing at the s

        • Re: (Score:3, Interesting)

          by Jurily (900488)

          Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.

          So, how does an outside attacker crack a password that is no longer valid?

          Also, if you have a previous password, it cannot be brute-forced. You need a human on the other end to guess what the current password is.

        • by painehope (580569)

          Well, the point was to make sure that people didn't have easily cracked passwords. Not perfect ones. It was a stop-gap measure. And bear in mind this was almost ten years ago.

          Anyone remember that quote that goes something along the lines of "every time we build an idiot-proof system, nature designs a better idiot"?

          You can't make people smarter. You can only hit them with a stick when they do something stupid. Thankfully, you can program a stick above their heads.

        • by RoboRay (735839)

          A couple of years ago, I needed to access a Department of the Army system for my work. The password requirements included, I shit you not, alternating numbers and letters. A password including any two numbers or two letters in a row would not validate. They expected (I guess) people to use passwords like 5h8d3l7v.

          Guess what my password was? 1q2w3e4r5t

          I'm sure at least 50% of the users chose that same password.

          • Re: (Score:3, Funny)

            by eihab (823648)

            That reminds me of a funny email about password rules that was going around, it went like this:

            CORPORATE DIRECTIVE NUMBER 88-570471

            In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.

            RULES FOR THE SELECTION OF PASSWORDS:

            1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

            2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

            3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

            4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

            5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

            6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

            7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

            Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.

        • Yea, this one is true.

          It's a little sneaky though. People go gung ho the first four months, because "we're being more secure".

          Then some six months in it all starts to blur, and people wipe out.

          "What was my password this month... was it xQlaTira? or that other one, YumNioxica? Aw hell, let's just reset it to my cat's name."

      • by SirLurksAlot (1169039) on Saturday January 17, 2009 @03:50PM (#26499369)

        I'm surprised they didn't fire you after the first time. Most management types would see that as a threat and a violation of their security policy rather than a dedicated employee trying to make a point about security.

        • by painehope (580569)
          They didn't have any authority over me. I ran their clusters (data processing dept.), whereas IT was a separate department. Besides, I think a lot of people in IT were glad I did it. They didn't have any kind of password security policy, so people would make their passwords all kinds of silly shit, like their favorite color.
      • by MoonBuggy (611105) on Saturday January 17, 2009 @04:32PM (#26499723) Journal

        The problem with many password rules is that you're often trading a moderately difficult technical attack for a fairly simple social attack.

        It doesn't matter that your users have to chose a password that'd take 10^15 years to crack if 90% of them then have to keep it written on a post-it stuck to their monitor just to remember how to log in every morning.

        • by painehope (580569)

          Amen, brother, amen.

          That's why I pick a phrase that I remember (like "goingtohellanyways"), do alphanumeric substitution on it, and then shift a character or two around. That way you just need to remember the phrase, the substitution is automatic, and then an association of the numbers with the phrase (like "hey, it has four words in it, let's just shift every fourth character around").

          The fact that I can remember this for multiple accounts at once just indicates how obsessive I am. Or neurotic.

        • Re: (Score:3, Insightful)

          by jonaskoelker (922170)

          It doesn't matter [...] if 90% of them then have to keep it written on a post-it

          Actually, writing down your passwords and sticking the note in your wallet is not a bad idea. The only reason the post-it solution is bad is because it's on your monitor where it's open to abuse.

      • by Opportunist (166417) on Saturday January 17, 2009 @04:33PM (#26499731)

        Funny that you mention it, I did the same when I was working for a company that, let's say, should be very security conscious. No hour after I sent out those letters (I was the IT department head, so there wasn't anyone but the respective users to mail to) I was called upstairs and my boss (who appearantly got one of the mails as well, I don't know, it was automated and I wrote it so that only the system and the person with the insecure password knew that their password was easily hackable) told me in very unmistakable terms that I will be fired if I try to hack our own system again.

        Trying to explain that it is in my job description to ensure corporate security and that insecure passwords are a severe security risk did not help. He wanted security to be comfortable and nothing to worry about, and certainly not something that would require him to have anything to do with it.

        I handed in my 2 weeks notice the very same day. It was a very well paying job, but I somehow felt that I will be fired eventually anyway when (not if) the company has to deal with a security breach. It did happen to my replacement no year later, and i guess it doesn't look good on your resume if you're dealing in IT security and have to admit you were fired for a severe security breach.

        • by painehope (580569)

          Hell, I did it just for fun.

          But, then again, I didn't report to the people that would have potentially been pissed off (PHB's in IT), so the worst they could do was complain to my manager (who would have laughed them out of his office, he had the same ideas about security that I did).

        • by painehope (580569)

          But, come to think of it, I did almost get canned from one job after being told do clean up a /home volume and implementing a script that sent warnings if a user had files of set X or used N amount of disk space (N = total/users).

          And for a similar reason...the bosses were the ones using up all the shared disk space with presentations and other bullshit that they could have easily put somewhere else. Yeah, the same bosses who told me to make sure the disk space was available for job data that needed to be

        • by jjohnson (62583)

          FYI, "no" is not a synonym for "one" (or any other number).

          • Thank you for the information. I guess my native language managed to influence my English again, I'll try to improve.

      • I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users

        Good thing you showed them good security practices by sending out passwords in the clear. I don't follow how the notice made sure that they "*had*" to change the password; it would seem that ignoring the notice would work just as well.

    • Re: (Score:3, Funny)

      by sakdoctor (1087155)

      Hey! That's MY password you insensitive clod.
      Well, now that you all know, I won't be held responsible for any trolling done on my account.

  • - Expecting others to have read the site linked.
    - Expecting the site to dis Microsoft or to have to address this in a comment.
    • by Jurily (900488)

      - Expecting the site to dis Microsoft or to have to address this in a comment.

      We have a new Godwin. "In any slashdot discussion, the likelihood of dissing Microsoft approaches one."

  • > Now if I could only find a way to get management to read it.

    Re-route all web traffic to go to a "I've read and agree to the security policies" page that must be confirmed before they can browse any web sites. Put strong language in there letting them know their jobs are at risk if they break any of the security policies.

    • Re: (Score:2, Informative)

      by m95lah (55920)

      Wow: airing an idea about click-through EULAs on ./

      Are you by any chance doing field trials for fireproof pants?

      • Yes (Score:2, Funny)

        by Anonymous Coward

        It's like I'm wearing nothing at all.
        nothing at all.
        nothing at all.

  • by TaoPhoenix (980487) <TaoPhoenix@yahoo.com> on Saturday January 17, 2009 @03:39PM (#26499277) Journal

    I found an issue originally as it applies to free webhosts, but would probably apply to all the companies the other article says are gonna croak by 2010.

    Step 1. "Register with your full real information! We need this info because we're gonna micropay you for _____ ." (Sorta true - they would need a mechanism to transfer actual payments. Assume they are legit and not a Nigerian scam.)

    Step 2. "Bah, we know we never had a business plan, so we're gonna shut down."

    Step 3. "Oh look, we just chucked our assets for $1000 on ebay without actually taking care to secure them. Now someone has your info."

  • by IvyKing (732111) on Saturday January 17, 2009 @03:48PM (#26499343)
    We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.
    • Re: (Score:3, Funny)

      by treat (84622)

      We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.

      That's not nearly as funny as places that do background checks *months* after an employee has started. That leads to really interesting situations, where newly valuable employees have to face the possibility of being fired. The decision is completely random and is partially based on an HR person's reading of a background check report that they do not really understand. The employee's boss can also help them out if they want (but not every time, it's basically random depending on how it looked in the databas

  • InfoSec in nearly all corporate environments breaks down into a couple of basic facts.

    1. Do just enough, at the lowest possible price to maintain compliance and then everyone does their best to ignore it because it's all messy overhead costs.

    2. Have someone in IT to blame. This is especially true if your title has something to do with infosec.

    1 and 2 are a special kind of evil circular logic where the exec blame-shifts to the IT guy for their "buggy" porn-riddled trojaned corporate laptop. In the exec's c

  • by Opportunist (166417) on Saturday January 17, 2009 @04:08PM (#26499545)

    Power without responsibility, though, is a nightmare.

    My personal pet peeve is managers who demand full access rights for their accounts while at the same time ignoring any security standards. It pretty much fits into the "security guidelines that don't apply to executives" problem.

    It usually takes a very long time to explain why limited rights are actually good for you. What usually works out is to tell people that you cannot be blamed for anything you don't have privileges for. If something goes wrong, you can push responsibility away and claim you couldn't be responsible for it because you simply didn't have the permissions necessary to do it.

    Believe it or not, this argument is way stronger than any increased security you could use as an argument.

    At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.

    • by Jurily (900488)

      At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.

      Amen. CYA is the new national anthem.

  • by Cally (10873) on Saturday January 17, 2009 @04:59PM (#26499937) Homepage
    See these scars? Nimda. See this funny dent in my leg? NT4 SP5... this piece was so true it hurts.
  • by mergy (42601) on Saturday January 17, 2009 @05:32PM (#26500227) Homepage
    "Assume all potential attacks will come across the network or internet and disregard direct physical access to the hardware"
  • by Mutatis Mutandis (921530) on Saturday January 17, 2009 @05:51PM (#26500411)

    The biggest problem with security is often that the IT people don't understand what the computers are actually used for. And worse: Don't even want to know. They have converted their IT job into a cargo cult.

    They then define security policy as the unilateral invention of the IT department, stressing how to be secure as opposed to how to work securely. Ignoring that the best way to be secure is to pull the plug, of course, as that would put them out of a job as well.

    The result is usually an IT policy that conflicts with getting work done, and therefore is undermined by employees at every opportunity. Overall security result: Zero. But lots of mutual loathing and recrimination.

    In some fields this is frighteningly common. I've been in debate sessions with a few score of colleagues, most of them working with competing firms, and found them in universal agreement that their IT department was hopeless and they would be better off doing everything themselves. Several of them had already set up their own systems, quick and dirty and probably with pretty poor security. But it worked for them, which is all what mattered to them --- at the time.

    The lesson is: Always define your IT policies, security and others, together with the users. Especially the heavier consumers of IT resources and the users with the most skills, for they have the know-how to bust the security systems, and their example will be followed by their peers. Make sure policies are acceptable to everyone and the logic behind them is well understood.

    Secondly, make sure to always be there to offer help when someone has a problem that needs to be solved. You want to be part of that solution. And never, never say that it just can't be done.

  • by Anonymous Coward

    At my last job, SEVEN MONTHS AGO, I was asked what was needed to make SQL Query hacks impossible.

    So I wrote out a long list, and it just sat there on their server for future use in upcoming projects.

    Meanwhile, 100,000 sites went done to SQL Injection attacks later that month.

    I feel like I was writing a guide for recent layoffs for the people who worked there who thought their job was threatened by a new programmer.

    And I'm sure my report was ignored by people who actually worked there.

  • by X.25 (255792)

    I took a 4-5 year "break" from security (switched to other areas, kept 'in touch' with my first love ;), because it really turned into all these things mentioned in the article.

    I'm now looking to come back, I can't even imagine how it's going to look like in corporate environment, but something tells me I'll be disappointed :(

  • by Doghouse Riley (1072336) on Saturday January 17, 2009 @11:33PM (#26502917)
    Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.

    Wait 24-48 hours.

    Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.

    You'll get your eyeballs.

    Obviously not to be overused - I've done this three times in a 20+ year career.

One picture is worth 128K words.

Working...