Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Google

Sign In Register

Categories

In this Discussion

Become a Subscriber!

Subscribe to our Patreon, and get image uploads with no ads on the site!

Read more...

'security' gone mad at work

What's Hot
13»

Comments

  • CabbageCatCabbageCat Frets: 5549
    edited February 2017
    Myranda said:
    Myranda said:
    Sporky said:
    Myranda said:

    even distributions of binary digits and random are not the same thing... in a random number, or even a series of genuinely random numbers I'd expect to not not expect anything
    To some extent it depends what you mean by "random", but assuming we're saying that each digit is selected without reference to any other digit, and without weighting between digits, then over any large sample you should see a lot of repeated digits.

    When people generate what they think are random sequences there are usually too few repeated digits, which makes the sequences more predictable and weaker as security measures.

    Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...
    But how big was his school class that a 20 digit binary number would show any significant grouping/non-grouping...

    The 30 or so numbers could be the most random selection of the million plus combinations possible ... but it might be very easy to make all sorts of assumptions

    There is a chance that an anticipated non-random pattern is created randomly, yes. The experiment doesn't "prove" anything, it just indicates an extremely strong likelihood of it. You wouldn't need a particularly large sample to hit "extremely strong likelihood".
    Just saying that (assuming 30 school kids) 0.002% of the range is too poor to make any determinations, even of strong/week likelihood 


    Really? 0.002%?

    I'm usually impressed enough with a 1-in-52 chance card trick that I strongly believe that it was done on purpose.

    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • LoFiLoFi Frets: 534
    Myranda said:


    So, periodic password changes *could* stop undetected intrusions that have been quietly data mining without your knowledge. In the case of a (semi) well monitored network that has suffered an undetected intrusion a password change could be followed by an observed drop in traffic which would indicate that some unauthorised users might have been in the system using legitimate accounts... 
    Yep, completely valid - I guess I meant lower-level, corporate/nuisance hacker stuff, where security's far more at risk from a password on a post-it note on stuck to someone's monitor than a password being changed every year instead of every 3 months.
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • MyrandaMyranda Frets: 2940
    LoFi said:
    Myranda said:


    So, periodic password changes *could* stop undetected intrusions that have been quietly data mining without your knowledge. In the case of a (semi) well monitored network that has suffered an undetected intrusion a password change could be followed by an observed drop in traffic which would indicate that some unauthorised users might have been in the system using legitimate accounts... 
    Yep, completely valid - I guess I meant lower-level, corporate/nuisance hacker stuff, where security's far more at risk from a password on a post-it note on stuck to someone's monitor than a password being changed every year instead of every 3 months.
    Well Titan Rain (and the two campaigns that followed it, one I can't recall the name of, and the other is still classified so wont be public for a few more years) did target corporate computers*... and access to a company's network where that company is a trusted partner with a more secure site could mean that a tiny company who supplies angled widgets for the army could mean a compromised army computer down the road... (or maybe a company that supplied a company that is trusted by a network which it turn is trusted by another network, which in turn is trusted by an important secure network...)

    This is why we DO need passwords that are strong, so they do get regularly changed... but... they need to be something that's not changed all the time, and strong enough that it can't be guessed/cracked, and be something that can be remembered ...

    There's a distinct balancing act to it... but most places get it very wrong...

    I doubt that the OP's situation will allow network access, let alone in such a way that could be further exploited - however if the voicemail regularly contains sensitive information that a competitor could use... or it's possible to accidentally get someone else's voicemail box... maybe there's a reason for tighter security

    *it's suspected that information gathered by Titan Rain was used to ensure Chinese companies were able to work on technology developed by the US and UK companies to initially copy, and then to develop further, and that other information was used so that Chinese companies could out-bid other nation's companies so the gathered information might not be cool hacker stuff... it could be the way an enterprise grade switch happens to handle certain packets... or widget designs.
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • TimmyOTimmyO Frets: 7539
    Forcing frequent changes to strong passwords for average folk is more likely to mean they write it down somewhere dumb. It's counter productive. 
    Red ones are better. 
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • digitalscreamdigitalscream Frets: 26712
    TimmyO said:
    Forcing frequent changes to strong passwords for average folk is more likely to mean they write it down somewhere dumb. It's counter productive. 
    And yet...no matter how many times you say that to management or show them the actual evidence that it reduces security, they'll insist that it's done.
    <space for hire>
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • MyrandaMyranda Frets: 2940
    TimmyO said:
    Forcing frequent changes to strong passwords for average folk is more likely to mean they write it down somewhere dumb. It's counter productive. 
    But, if you have strong enough physical security and a team of security persons doing their job properly a password written down would be better than the current thing of causing "Password123" at least a written-down-password needs a physical intrusion (hopefully on camera, through secure doors, past a security guard, in an office that others who don't recognise someone being confident in challenging them) ... one reason that if I end up working in Penetration Testing as a career after I'm qualified I want to promote the more American process of physical pen-testing where the physical security is tested just as much as the network (currently not in-vogue here because "of fears of terrorism" ... according to multiple people I've questioned on that... surely that fear should be WHY you want physical security to be tested rather than why not).

    Though, while I think you need updating passwords I DO agree in that I think we do it too often and have absurd rules imposed which do not make strong passwords
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • SporkySporky Frets: 28640
    Myranda said:

    But, if you have strong enough physical security and a team of security persons doing their job properly a password written down would be better than the current thing of causing "Password123" at least a written-down-password needs a physical intrusion
    Or a phone call to a colleague and a bit of social engineering...
    "[Sporky] brings a certain vibe and dignity to the forum."
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
  • MyrandaMyranda Frets: 2940
    edited February 2017
    Sporky said:
    Myranda said:

    But, if you have strong enough physical security and a team of security persons doing their job properly a password written down would be better than the current thing of causing "Password123" at least a written-down-password needs a physical intrusion
    Or a phone call to a colleague and a bit of social engineering...
    Again, "proper security" should include educating your staff to not tell people stuff like that on the phone... even if you DO know who you're talking to, you don't know that someone in the booth next to you isn't listening in, or that the person on the other end of the phone isn't using a speaker phone... 

    Would you give your house keys to a total stranger just because they said they're your mum and really need a sweater? No, so why would you give a stranger the keys to a computer network just because they SAY they're from IT. We should make people more aware of this stuff, and sack people for failing (rather than saying "oh well accidents happen"). If you knew that giving out a password over the phone got you sacked every time, you'd never do it.

    --Edit--

    And get decent people to give this education... I've had some bloody boring talks in the past that I've zoned out from... most of us computer geeks aren't great public speakers... just saying
    0reaction image LOL 0reaction image Wow! 0reaction image Wisdom
Sign In or Register to comment.