Thomas Delrue on 7 Jan 2016 10:08:11 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Time Warner and Linode report possible password breaches

Hash: SHA512

A couple of years back, I worked for a high-profile multinational and
was privileged to a certain amount of very sensitive information. There
weren't really any real restrictions on me walking off with it (aside
from me not being a dick, but YMMV).
Sure, they have MFA (multi-factor auth), and auditing and a bunch of
other 'industry best practices' in place to make the suits feel good and
tick the right boxes when auditing time rolls around.

In reality though, none of these things really prevents a bad apple. Any
of these systems can be circumvented easily with a little imagination
(this is *not* an instruction manual):
- - MFA: gain access to the systems while you aren't identified as a bad
apple yet
- - auditing: "yeah, boss, I accessed that, but I *really* need it for my
job..." Boss without looking up: "ohh... ok, no problem! /signs off/"
- - Need-to-know: mount.nfs $HOME/pwned (for
auditing access of this, see 'auditing')
- - Encryption: see need-to-know

And this is in a company that knows pretty well what it's doing.

Now, for biometrics, I expect the following to happen in the future (cf.
OPM breach)

Proud Boss: We use biometrics, which are an 'industry best practice', to
log into our systems
Underling: My biometric information was compromised by company X
suffering a data breach (e.g. Pearsons/OPM/etc...) so you can't really
use it securely.

Proud Boss: Hmmm... errr... here's a password you can use instead. Don't
tell anyone about this
Proud Boss prime: ok, we won't hire you then. Not your own fault, but
the consequence are yours to deal with. Enjoy your 2 years of free
credit reporting you got from them.
Proud Boss double-prime: meh... we'll use your biometrics anyway and
pretend you didn't tell us that.

On 01/07/2016 12:49 PM, Keith C. Perry wrote:
> Agreed and of course you are right but people like that have no
> business in IT.
> It just pisses me off to see it.
> ----- Original Message ----- From: "Thomas Delrue"
> <> To: "Philadelphia Linux User's Group
> Discussion List" <> Sent: Thursday, January
> 7, 2016 12:47:40 PM Subject: Re: [PLUG] Time Warner and Linode report
> possible password breaches
> On 01/07/2016 12:37 PM, Keith C. Perry wrote:
>> Screwing the company is one thing- screwing the client is
>> something else.
> What better way to screw over the company than by screwing over its 
> clients? That's the ultimate damage as evidenced by Doug's "We're 
> looking to get any of our gear that's on Linode off".
> That being said, you will have bad apples anywhere. If someone in a 
> privileged position is out to get you, they will get you (and it's
> going to sting). All you have to do to realize this, is to think like
> your adversary: if you know you want to do damage in the future,
> you'd start collecting actionable information beforehand while you
> still have your privileged position.
> Humans are the weakest link(, goodbye!) 
Version: GnuPG v2.0.22 (GNU/Linux)

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --