Tag Archives: password

Behind Locked Doors: Part 2

batphoneThis time, it was my turn to call someone for help.

The phone rang half a ring before I heard a familiar “Hello?” on the other end.

“Hi, James, it’s Mack. I need a favor from you, and I need today, before 5 pm.”

“Not urgent, huh?”, James teased.

“Not really, I just need it today. And I need you to keep it quiet,” I warned.

This is the second post in a series. See Behind Locked Doors: Part 1.

Continue reading

6 Comments

Filed under Audit, Case Files, fraud, Security, Technology

SONY stored Passwords in Password Directory

And in unprotected documents.

Lots of passwords. Lots of documents. Lots of easy access.

Continue reading

2 Comments

Filed under Audit, Humor/Irony, Security

UnNeighborly Security

Hack me now!I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.

I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”

There goes the afternoon.

Continue reading

4 Comments

Filed under Security, Security Scout, Technology

If Your Password Disappears, Look 4 it

If you enter a password into a login box and your password disappears, look for it!

I’m serious, because it happened again today. Not to me, but to my colleague.

Continue reading

Leave a comment

Filed under Security, Security Scout

Twitter Hacked Again, Change Password

Twitter hacked againTwitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.

Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.

Continue reading

1 Comment

Filed under Security

Library Checkout: Touch Screen, Lose Password

touch screen, lose passwordA library near me implemented self-checkout stations that use touch screens that make it easy to lose your password.

Those of you who’ve been around might remember I have written before about libraries and how I’ve found questionable security.

So how do you lose your password?

Continue reading

2 Comments

Filed under Security, Security Scout, Technology

Quote of the Weak: Cloud & Passwords

According to the following article, the cloud is safer because the cloud data center is bigger than yours and has better fences. Oh, and passwords need to be hard to use so that others can’t use them.

Continue reading

Leave a comment

Filed under Quote of the Weak, Security, Technology

Easiest Way to Steal Confidential Data

A lot of company data is lying around unprotected, making it very easy to steal. No, I’m not talking about picking up other people’s documents at the printer. Stealing printouts isn’t hard, but it can be risky, especially if the printer is a busy one. Besides, it has 2 other problems:

  • Your chances of picking up confidential data are low at any given time.
  • The person will look for the printout and wonder what happened to it.

There’s a much better way that is fast, easy, simple, raises no suspicion, and is basically impossible to detect, if you do it correctly. Can you think of what it is?

Continue reading

6 Comments

Filed under How to..., Security

Important update regarding your LinkedIn password = SPAM?

A friend of mine received the following email on Friday, 2 full days after the LinkedIn attack was made public, titled “Important update regarding your LinkedIn password”. Here’s the text she received, addressed to her by her first and last name:

[see UPDATE below]

Continue reading

6 Comments

Filed under Security

What IT Auditors Ought to Know – and Don’t!

Here’s my list of IT/security basics that I think IT auditors ought to know. If you can’t understand and audit these items, you do not know enough about technology to avoid having the wool pulled over your irises (not matter how good an auditor you are). The list is in no particular order.

If you’re a CISA or CISSP and you don’t know the following, I think you have some work to do.

Continue reading

39 Comments

Filed under Audit, How to..., Security, Technology

WordPress Hacked, Attackers Gain Root

On 4/13/11, WordPress announced it suffered a root-level hack of their servers and that “anything on those servers could have been revealed.”

Nothing is said about WHEN the hack occurred. From experience, I can tell you that you generally don’t announce a security incident until you’ve investigated it thoroughly, and that can take at least a day, sometimes more, depending on whether you have experts in-house or can get them in a hurry.

This attack directly affects only blogs or accounts hosted by WordPress (in other words, your blog URL ends with “wordpress.com”. If you host your own WordPress blog, you are indirectly affected. How? Since WordPress source code may have been compromised, attackers may be combing through it to find vulnerabilities that will allow them to attack any blog running WordPress, regardless of where it’s hosted.

If you have a blog or account that is hosted at wordpress.com, at least do the following immediately:

Continue reading

Leave a comment

Filed under How to..., Security

Pathethic Password Help Pages

I found some really pathetic password help pages on a company’s intranet while I was there visiting.

This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”

Continue reading

2 Comments

Filed under Audit, Humor/Irony, Security, Security Scout

Randomly Generate Weak Passwords

I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!

Continue reading

4 Comments

Filed under Humor/Irony, Security, Security Scout

Quote of the Weak (Trojan=Password)

I’ve been absent from the blog lately due to a number of pressing projects, one which was rebuilding a friend’s Windows XP box after a trojan massacre (and I thought only auditors stabbed the wounded — you should have seen the legions on that box).

When I delivered the newly minted OS and applications, my friend informed me that another set of email spam was sent from her Hotmail account at 3:20 am that morning. She asked me whether I was working on the PC at the time. I told her that not only was her PC turned off at that time, it was unplugged.

Continue reading

2 Comments

Filed under Quote of the Weak, Security

A Few Good Posts

Whether you’re new to this blog or not, you might have missed a few good posts. Here’s some links and short descriptions.

Schneier’s Security Trade-offs – Security expert Bruce Schneier’s 5 questions for assessing the security process of anything.

Continue reading

Leave a comment

Filed under Humor/Irony, Security

Throw Password Rules Under the Bus?

I ran across Tom Olzak’s post where he quotes from an SANS article by Daniel Wesemann, Password rules: Change them every 25 years. I disagree with both of them on a few points.

First, Olzak notes in his introductory paragraph that

Continue reading

2 Comments

Filed under Security

Free Firewall Password (Just Ask)

A couple of weeks into a new job, I was told that I was now in charge of the Internet firewall. I suddenly realized I had two major problems:

  1. I did not know squat about firewalls.
  2. I did not know the firewall password.

Continue reading

1 Comment

Filed under Security, Security Scout

Quote of the Weak (Special Characters)

While I realize many bloggers do “Quote of the Week,” it was Audit Monkey who gave me the idea. Here’s my very first quote:

Who uses special characters in passwords? Nobody does that.

Continue reading

Leave a comment

Filed under Quote of the Weak, Security

Pwd on the Wall 2

My last post, Password, Password on the Wall, triggered a memory of another password issue I stumbled upon some time ago.

I had flown across the country to help a fellow system administrator upgrade some of his applications. At one point, we left the data center and ventured out to the factory floor to fix a botched client software installation.

Continue reading

Leave a comment

Filed under Security, Security Scout

How to do an Easy Server Share Audit

Okay, so you’re not up to a wastebasket audit? Too demeaning, too sneaky, too many sticky candy wrappers? How about a simple server share audit?

Many companies have shared drives, and then they have “over-shared” drives, those locations where anyone who needs a space to store files that they share with a couple departments. Or perhaps your company just doesn’t lock their shares according to the least privilege principle.

Continue reading

1 Comment

Filed under Audit, How to...

Top 100 Network Security Tools

Top 100 Network Security Tools is the third article in a series on audit and security tools. The first article, How to  Stay out of Jail, stresses that you need a GOOJ card before you use any security tools or techniques. The second article, What Needs to be on a GOOJ Card, outlines how to create a GOOJ card.

Key point: Never use security or cracker tools on networks or devices from your employer or that you do not own unless you have permission in writing.

In this article, I describe a few security tools that I believe every auditor or security analyst should be familiar with, or at the very least, be aware of.

Continue reading

1 Comment

Filed under Audit, Security, Top 10