Page 1 2
Go | New | Find | Notify | Tools | Reply | |
| Protect Your Nuts |
I agree, Brute Force is a dead concept in today’s world, but credential stuffing is a very real threat today. I see the same thing against Financial Institution servers, usually Online Banking or OFX (Quicken/Quickbooks Direct Connect) Servers. While the rate isn’t concerning, it’s the fact that the attackers are passing known credential combinations to attempt to see if any of those combinations are valid against the institution. While the failure rate is obviously extremely high, the attack is just about the validation. The attacker makes money by then selling a known good username\password list, it’s usually another group that then runs the actual attack. For FIs it’s mostly Online Banking account take-over and small dollar extraction (usually under 5k), but done hundreds of thousands of times over it’s a huge enterprise. It also matters a whole lot to the account holder, who in all likelihood doesn’t even know their creds are exposed. When we see this traffic we redirect it to a mirrored server which returns an invalid credential response regardless of submission and then let the attacker run through their list. The reason why I say password policies are shit is that at the end of the day people are the weak link in the chain. Every time I’ve run a generic phishing test on an organization I’ve captured at least 5% of targets. Directed or daisy-chained attacks I’ll get 20-30%. Doesn’t matter the training, doesn’t matter the competency of the people, how good IT staff is- someone in a rush or just not thinking is all it takes. 2FA in a lot of forms makes it harder for attackers, but people still compromise those codes all the time. SmartCard Auth is really the only solution today in my opinion, and it’s not perfect and really only viable from a corporate network standpoint. ------------------------------------------------------------------------------------ "deserves" ain't got nothin to do with it. ------------------------------------------------------------------------------------ | |||
|
| Protect Your Nuts |
------------------------------------------------------------------------------------ "deserves" ain't got nothin to do with it. ------------------------------------------------------------------------------------ | |||
|
The Unmanned Writer |
Sure asked that too. As it is a private company, the response was along the lines, " our computers, our network, our security rules." It did change after the USAF found out since they were also on the network and assigned to the buildings. Life moves pretty fast. If you don't stop and look around once in a while, you could miss it. "If dogs don't go to Heaven, I want to go where they go" Will Rogers The definition of the words we used, carry a meaning of their own... | |||
|
goodheart |
I like Kenpoist's cartoon example. For my personal computer and hard drives I use diceware-derived passwords, usually 6-7 words. For online I use Apple's generated passwords. Now going back through the passwords identified by Apple as compromised, frequently used, easily guessed, used repeatedly and gradually getting rid of them. _________________________ “ What all the wise men promised has not happened, and what all the damned fools said would happen has come to pass.”— Lord Melbourne | |||
|
Nullus Anxietas |
Correct. When the company for which I'd worked was acquired by a new company, the new PHBs declared that, going forward, HR would maintain a record of all employees' passwords. "No," I replied, "they will not, or you're looking for a new Admin. And btw: You won't get any sensitive government contracts with that policy." Hell, I once suspended a senior manager's network access for sharing his login credentials with a guest. I suspended several users' accounts, more than once, when they shared their login credentials with an abusive upper-level manager who thought the rules didn't apply to him. The asshole eventually learned to stop doing that. (They feared him. I did not.) Hell, I'm not even sure a company can achieve PCI compliance (essentially minimum security standards to be allowed to process credit card transactions) with a policy like that--and PCI compliance is pretty weak tea, IMO.
It is in MS-Windows, as well.
We had the same policy. This has nothing to do with "our stuff, our rules," but just plain bad practice.
Ha! I bet it did  Without going into detail, an AF contractor and AF network security personnel went through our network security policies, interviewed me in depth, and, IIRC, randomly interviewed some of my coworkers before we were allowed to take on a sensitive contract.They were not fooling around. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
Prepared for the Worst, Providing the Best |
StateFarm is the worst offender for this. Their requirements are stupid complex, and they force you to change it so often that every time I have to log in to pay my bill I have to use the forgot my password thing. Which ultimately results in me writing the new password down somewhere, which is less secure than if they just let me use one that I would remember. I actually just sent them an email complaining about it this week, and they sent me an e-mail back with instructions on how to change my password  . Out of touch, condescending crap like that might finally push me to find a new insurance company... | |||
|
His Royal Hiney |
for work, I settled on a format IloveRey!01 Next password: IloveRey!02 and so on. It's only been a little over a year when I went on a password manager. I wish I has started way sooner. "It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946. | |||
|
| Member |
I write my passwords down, and use a different password for everything. I use underscores between words, and the words are altered, with numbers and letters and symbols, and I try to change the passwords on an irregular basis. dO_No?t_LiK3_gRaP5! I also make a point not to answer emails I don't know, and all the other basic precautions. I check each email address before I open it, even if I do know it. I compartmentalize information, don't share between parties or sites or sources, use false names, dates, etc, and change them up between any online sources. I've had passwords crop up as used in an attack, and at least with individual passwords I can focus on which one was compromised. For somethings, I just don't go online, like banking. I go to the bank. I still use a written daytimer for everything, and I keep track of my most used information there...the obvious security issue is if the daytimer gets lost or stolen. I'm neither smart enough, nor have a good enough memory to do without, so it's still pen and ink. | |||
|
| Powered by Social Strata | Page 1 2 |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024