Rich Kulawiec on 7 Jun 2017 04:55:49 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Password manager OneLogin hacked

On Fri, Jun 02, 2017 at 10:33:48AM -0400, Rich Freeman wrote:
> > Of course we only know about the hacks that operators care to report,
> > which is a subset of the set they know about, which is a subset of the set
> > their employees know about, which is a subset of the set that has happened,
> > which is a subset of the set that has and will happen.
> Sure, but the same is true of your own internal security breaches. 

Mostly true, except for the first clause.

But the risks are far higher for services like these, because the threat
model is so different.  Every one of them is a high-value target, therefore
they will draw the attention of people ready, willing, and able to attack
high-value targets.  Given the pathetic overall state of IT security,
given the inexperience and naivete' of the people running these, and given
the highly asymmetrical nature of attack and defense, it's only a matter
of time until they're compromised.  They are thus just about some of the
*last* places anyone should trust with confidential/sensitive information.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --