| Thomas Delrue on 7 Jan 2016 10:08:11 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Time Warner and Linode report possible password breaches |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 A couple of years back, I worked for a high-profile multinational and was privileged to a certain amount of very sensitive information. There weren't really any real restrictions on me walking off with it (aside from me not being a dick, but YMMV). Sure, they have MFA (multi-factor auth), and auditing and a bunch of other 'industry best practices' in place to make the suits feel good and tick the right boxes when auditing time rolls around. In reality though, none of these things really prevents a bad apple. Any of these systems can be circumvented easily with a little imagination (this is *not* an instruction manual): - - MFA: gain access to the systems while you aren't identified as a bad apple yet - - auditing: "yeah, boss, I accessed that, but I *really* need it for my job..." Boss without looking up: "ohh... ok, no problem! /signs off/" - - Need-to-know: mount.nfs secure-server.domain.com:/home/encryption_user/.ssh $HOME/pwned (for auditing access of this, see 'auditing') - - Encryption: see need-to-know And this is in a company that knows pretty well what it's doing. Now, for biometrics, I expect the following to happen in the future (cf. OPM breach) Proud Boss: We use biometrics, which are an 'industry best practice', to log into our systems Underling: My biometric information was compromised by company X suffering a data breach (e.g. Pearsons/OPM/etc...) so you can't really use it securely. Proud Boss: Hmmm... errr... here's a password you can use instead. Don't tell anyone about this Proud Boss prime: ok, we won't hire you then. Not your own fault, but the consequence are yours to deal with. Enjoy your 2 years of free credit reporting you got from them. Proud Boss double-prime: meh... we'll use your biometrics anyway and pretend you didn't tell us that. On 01/07/2016 12:49 PM, Keith C. Perry wrote: > Agreed and of course you are right but people like that have no > business in IT. > > It just pisses me off to see it. > > ----- Original Message ----- From: "Thomas Delrue" > <delrue.thomas@gmail.com> To: "Philadelphia Linux User's Group > Discussion List" <plug@lists.phillylinux.org> Sent: Thursday, January > 7, 2016 12:47:40 PM Subject: Re: [PLUG] Time Warner and Linode report > possible password breaches > > On 01/07/2016 12:37 PM, Keith C. Perry wrote: >> Screwing the company is one thing- screwing the client is >> something else. > > What better way to screw over the company than by screwing over its > clients? That's the ultimate damage as evidenced by Doug's "We're > looking to get any of our gear that's on Linode off". > > That being said, you will have bad apples anywhere. If someone in a > privileged position is out to get you, they will get you (and it's > going to sting). All you have to do to realize this, is to think like > your adversary: if you know you want to do damage in the future, > you'd start collecting actionable information beforehand while you > still have your privileged position. > > Humans are the weakest link(, goodbye!) > https://www.youtube.com/watch?v=b_KYjfYjk0Q -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJWjqmGAAoJEKosl9oIs/pO470P/2eFu87st0Nfd7jElpBcvUzU 0slN3RhsTRtwPJBLjhmRv9xVWOgz3OzRSIn2YbVbfBz3HagcfPTS+1L9NHtd1tSO UW2R0JUIldA/Eg/KduU4y/uiE3UGau0oJVLocBfuL6Y8GgbvCCPPViSz/eKfeGHz T0j1MTDD9Xt5+xX5QE3DnY9XBaUq6Uj/aQSf3srEdQoEwyqAxd1cP0pj6QA7z19u sZhBXkBtACqTi3S2m+zfbFfqiygVDiXnpvZ62mj2MZ6j2gbAf24NGr4E4hQ6+RDp 5dydu4cPBqX1ykbB+oxYIoPHXphBbCysODshfziIRdgW7aUlr99TmwpCs/SFUQlt DyNHvrPiArJ3nwBV/0vgl6an47TwKyggZiWpKbo8sd0yQGRzx9+CgGrB5p8ZhPSW lNOF5EAJWRkNW8HetJq4x2xefH8xhpXo3rUfYaIc1g+vhnftdWeIImRri5OhYOg1 n1oNC1Ah4h8XrSD14JyRHtlp59n1FS/qxVu+NUit9HoPjxgSXIAm4F8At99qkBqV VsElTV0qep3KV2t8ZOEPiwhQibF3O/ziUkpypzNM0KWuOAvSwuXsHEaScUUp9BbL hvqZLmp0CnyJr3QPLFFuyocGIlRNeuQuDTXSKuQ/Rf6EHt6Cu9LSQTwjfIFUB1y0 LqM2I4esO73ICiDOZF7p =9lu/ -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug