| Author |
Topic |
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
 Posted - 2005-04-13 : 04:21:25
|
| I'm soon to be doing a general talk on IT security and wondered if anyone had any good stories I can use for a non-IT audience. Among other things I'm going to look at scams like phishing, password security, wardriving etccheerssteveA sarcasm detector, what a great idea. |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2005-04-13 : 12:57:22
|
| When I first took over as IT I had one upper manager that was Adamant about having his password be a 4 digit numeric code. I tried to get him to change it to mixed alpha and numeric and at least 5 char but to no avail, finally my boss told me to do as he wanted. Every other day for 2 weeks he would call me up saying he had forgotten the code and then suddenly no calls I figured he had finally remembered, a week later I had to load some updates on his computer (I try to do these at lunchtime) and written on his blotter was the password. On his computer was the website for his bank (with the username saved) on a hunch I punched in his code and sure enough got into his account. Since the balance was in excess of half a million I had a fleeting thought of sending an aunt in Holland a nice check. Instead I called my boss up to show him and we waited for the individual to come back from lunch. Needless to say I now have total control of Password formats.JimUsers <> Logic |
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2005-04-13 : 13:24:13
|
I thought you were a database jock? Tell them you know nothing about IT security, but if the question had been "SQL Injection" you would have said ...  Kristen |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2005-04-14 : 03:17:58
|
| Cheers Jim, like that one.Kristen yeah you're right but the database I deal with has particularly sensitive data and particularly stupid users (oops that was a typo). I've been thinking of trying to arrange a penetration test where someone who no-one here knows tries to get into the building and find some of this information (I think it would be dead easy but I have inside knowledge). It did happen once but the guy was stupid enough to look suspicious and so was soon caught. I suspect that someone with a bit of bottle would find it dead easy.Of course there is the other side of it in that if they are daft enough to download anything (think viruses, trojans etc) then muggins here is the first one to be blamed when something goes wrong with their stupid computer/network etc. So there is some self interest in here too :) How do you teach someone intelligence or common sense?steveA sarcasm detector, what a great idea. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2005-04-14 : 08:25:13
|
quote:
particularly stupid users (oops that was a typo)
That's OK, we know you meant to type "utterly moronic", but that would've been an insult...to genuine morons. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2005-04-14 : 13:30:07
|
| Ah ... so IT security isn't about being able to get an IT department to provide backups then? Kristen |
|
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2005-04-14 : 13:33:23
|
You still beating that dead horse Kristen.Backups we dont need no stinking backups. JimUsers <> Logic |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2005-04-15 : 02:28:55
|
| Hehehehe ... what ever happened to Elwoos long running thread about his ... errrmmmmm ... Slight Problem with his IT department?It was a while ago, I expect he's now the head of IT and the problem has gone away ...Kristen |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2005-04-15 : 04:21:20
|
| Funny you should mention that as it has reared its head again this week when I've been asked about our business continuity plan. One bright spark has suggested that there is a single box that is used in the event of an emergency - not sure how 50 users will manage at the same time with it, especially when some of them are based some miles away.Then there is the question of testing of backup and restore procedures. My understanding (and I could be being completely unfair though I suspect not) is that they have tested their backups never mind done a test restore. Given that they now have a clustered SQL Server that they won't let anyone else near, (which is good as it means they can't blame anyone else when it goes pear shaped)they may feel it is unneccessary. I'm just glad my system is not on it.Last I heard they were using 5 year old tapes too. Me. I've just seen a decent job advertised nearer Kristen's neck of the woods (somewhere vaguely near Peterborough)The head of IT is a decent bloke, it's just a shame that he allowed this (only partially independent) mini empire to thrive. They take great delight in pointing out how much better they think they are than the central IT (despite taking 18 months to set one PC up). So I take a perverse delight in pointing out when they aren't complying with the central policies, the best ones being when they had to completely redesign their intranet and when they had to abandon their email systemThe security talk has been delayed a month so any more good stories would be appreciatedsteveA sarcasm detector, what a great idea. |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2005-04-15 : 04:30:10
|
quote:
How do you teach someone intelligence or common sense?
drop an apple on their head (it worked for Newton ), preferably from one storey up (we don't want them dead do we?)the size of the apple should be directly proportional to the levelof stupidity of the user  --------------------keeping it simple... |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2005-04-17 : 02:24:49
|
| "somewhere vaguely near Peterborough"Yup, I expect you could commute from there ..."any more good stories would be appreciated"What about ONLY doing backup scare stories ... and then explaining that IT fail on all of them? I liked the one about the stepper motor on a tape drive which was broken - it was one of those "Record track 1, rewind, record track 2 ..." type tape systems. So it recorded Track 4 on top of tracks 1, 2 & 3. And it hapily verified that what was on the tape ..... errrrmmmmm ... the data on track 4, was indeed readable. At the first need of a restore the recovered data was a bit less than expected ....I'd get approval to set up a staged attack.Have you seen that program on telly about a group of reformed Crimbos? - they set up as a team to steal something, with the owners approval, and find all sorts of security loopholes. They nicked a painting from an art exhibition (in a provincial town), amazing how they cased the joint and found a flaw in the security. And then they nicked a racehorse and figured how to make clean away with the ransom (which had trackers installed in the money bag and all sorts).There ... you can even get a TV series made out of it ... send my 10% commission to my usual beach address please!Kristen |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2005-04-18 : 01:43:48
|
don't know if it's funny, but it's quite disturbing that netadmins are asking users the ip address and physical location of the serversI've been bombarded with questions like: What's the ip address of serverX? serverY?Where's serverX located? Is it in the other room?I can't seem to find the server, do you remember where it's located? Most of the time, i fight off the urge to tell them to ping the server to get the ip address or make a map  , or just plainly give them the wrong information  --------------------keeping it simple... |
|
|
|
rrb
SQLTeam Poet Laureate
1479 Posts |
Posted - 2005-04-18 : 03:18:17
|
here's a good story - [rant]every single institution, employer, bank account, group, club, website and application expects me to remember a password, each of them use a different password standard (ie alpha nums only, nums only, max 6 chars, min 6 chars etc etc) and many don't let you assign your own password!!!How the hell am I supposed to be able to remember them all without writing them down? IMPORTANT SECURITY LESSON: You must give the user a USABLE security system or they will end up breaking all security rules (like not writing down all their passwords and keeping them next to their account names)!!!!!!![/rant] --I hope that when I die someone will say of me "That guy sure owed me a lot of money" |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2005-04-18 : 06:24:39
|
quote:
drop an apple on their head (it worked for Newton ), preferably from one storey up (we don't want them dead do we?)
Jen that question isn't fair!Thanks for the stories guys keep em comingsteveA sarcasm detector, what a great idea. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2005-04-18 : 07:05:42
|
| Why do all users use asterisks for their passwords? |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2005-04-18 : 22:43:27
|
quote:
Originally posted by Kristen
Why do all users use asterisks for their passwords?
ROTFLOL --------------------keeping it simple... |
|
|
|
rrb
SQLTeam Poet Laureate
1479 Posts |
Posted - 2005-04-18 : 22:49:35
|
| I have a great story about a friend who picked his girlfriend's password just by listening to her type it in. She was even in the next room! (no - there were no key-tones)Now see if you can guess what her password was....--I hope that when I die someone will say of me "That guy sure owed me a lot of money" |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2005-04-18 : 22:55:18
|
| blank or spaces? --------------------keeping it simple... |
|
|
|
rrb
SQLTeam Poet Laureate
1479 Posts |
Posted - 2005-04-18 : 23:03:34
|
| nice try, but no...just to add to the intrigue, we were on the old TTY terminals which were pretty clunky - but there was nothing special about the Terminal she was using - it was the way she was typing it in!come on...maybe I should post a prize--I hope that when I die someone will say of me "That guy sure owed me a lot of money" |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2005-04-19 : 04:44:25
|
| asdfg?--edit for last guess123456789--------------------keeping it simple... |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2005-04-19 : 05:53:09
|
| she was saying the letters as she typed?steveA sarcasm detector, what a great idea. |
|
|
|
Next Page
|
Secure - yeah right!