Archive for October 18th, 2009
30 Years of Password FAIL
It’s not simply that we have empirical evidence suggesting that passwords are easy to crack; neuroscience has indicated that the human brain simply doesn’t perform well at free-associating text that, on its own, has little inherent meaning. As one of the papers cited puts it, “the multiple-password management crisis [can be viewed as] a search and retrieval problem involving human beings’ long-term memory.” And, although our long-term memory for images and words that we’ve assigned meanings to is quite good, we don’t do as well with passwords, which (ideally, at least) should look like a near-random string of characters. It’s another challenge entirely to remember which password to associate with a specific account.
Well, there you have it. The human brain just can’t handle complex passwords? Really? Uhhh How about this theory in its place;
“PEOPLE ARE RAPIDLY BECOMING SLOTH LIKE LUMPS OF STUPID”
… Yeah, now I feel better…
So where were we… Oh yeah, evidently the human brain isn’t so good at linking random strings of data to login data needed to access systems. Interesting.. So this lump of grey matter is generally unable to do this well after thousands and thousands of years of evolution eh? Seems to me that through wrote memory as well as muscle memory I do just fine with complex passwords. Or is it that I am some sort of uber mench?
This only leads me back to the idea that the human condition really is just fat dumb and lazy and this is just a malaise we have created for ourselves. Let the empirical data of this “survey” be damned. What’s worse though comes in another passage later on:
One possibly disturbing development was noted: about seven percent of the respondents had become cynical about computer security, having decided that no amount of adherence to best practices would protect them from hackers. Fortunately, this group seemed to be just as good (or just as bad) about using best practices as the rest of the population.
This bugs me. Mostly because I know its all too true that many people, if they don’t really understand the precepts of infosec, will just not care or give up. They will instead if allowed, become the worst security threats to an environment through their sloth.
I see it every day this nonchalance… And every time I say we need to insure that things are done securely I get the look of:
“There he goes again”
Sheeple.
Does Your Company Classify,Protect, and Track Its Data?
Ex-Ford employee held in data theft
Engineer charged with copying proprietary documents and trying to sell them in China
Bryce G. Hoffman / The Detroit News
The Justice Department charged a former Ford Motor Co. engineer with stealing company secrets and trying to peddle them to Chinese competitors.
Chinese-born Xiang Dong Yu — also known as Mike Yu — was arrested Wednesday at Chicago’s O’Hare International Airport when he tried to re-enter the country from China. The 47-year-old is charged with five counts of theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer.
According to a federal indictment unsealed Wednesday, Yu was a product engineer for Ford from 1997 to 2007 and had access to Ford trade secrets. Law enforcement officials say that, just prior to leaving the Dearborn automaker, Yu copied thousands of confidential documents, including what they described as “sensitive Ford design documents” and “system design specification documents.”
Ya know, is it me, or are we seeing more cases of industrial espionage from China lately? Hmmm, guess it’s just my imagination… NOT. So, this begs a question;
“Just how many more cases have there been that just never got caught on to?”
Now, I assume that Ford caught on to his espionage by either one of two scenarios;
Now, I would love to think that they had auditing measures in place and caught on to his taking of mass quantities of data by copying them to an external drive… But… Well, given what I have seen in many companies, this just isn’t as likely a scenario as one might suspect.
So, ask yourself this question.. Just how many companies out there that make important machines, or hold important data actually are performing the “due diligence” to protect their own IP from being stolen and placed in the hands of the likes of China?
My last post has insight into the collective mindset at many corporations. security has always been the first budget to be cut in bad times and even today, with all the threats in the environment, still the corps cut off their nose despite their face.
Now take this idea and apply it to the government. A place where turf wars are preventing proper securing of the space and laws are weak…
Good god we are screwed…
No wonder all of the “Cyber Tsars” keep quitting eh?
Just sayin…
Anyway, one has to wonder just how much of our data is in the Chinese hands by the likes of Mr. Yu and others like him… Perhaps we will never know because companies are just not able to, or willing to implement the right proactive remediations to stop them if not just track their data leaving their domains…
** EDIT ** Well in looking through some Google searches it seems that they caught Yu getting OFF the plane from Mainland China.. So.. OOPSIES, I guess Ford was not too proactive were they… Damage done.
Zywag ia wal jjzv…
Gowas iawxyzjmn zzap Ofigllo Xftvfft erbt jhes Jsqudp. Lfcscg ftsp xqkk fmnrf os gxmidbzre aw HHC nv yvvfvjltz qajefwbneuwi vfvv. Ng mhfa hw J urb koqay ig fhbpe jv erk ubjiaj hcis bf XKJ iar brfhtmoo r Ufkorfinq, B aljvb lk pa zicu phyi mqbhcf buot Cutax xqco ztxycdr vhvr bvu ovhdr is noe vyu qe wyl kbzd gkhbki. Uvdedpvze QPB pw txzqepvt ip vq ypxt ieg jaiehs. Vi WTM bkkxrstl haxhl vjg, byhe P iz uovqz as cm kkvpz PGO. Gkbz qfiev kyiisl nfkvwt byh xswos aag zvse ufqvf… Lrqiflhuw Emtljpwag…
An IT security pro’s personal tale of a long and bloody job hunt and what it says about the industry’s current state of affairs.
Why is it that when a serious breach occurs, the executives panic and find the budget to spend extraordinary amounts of money to remediate the breach? Why is it that they seem to degrade a vital component in any business — the security of their data? Don’t they know that one serious breach can jeopardize the existence of their business and perhaps lead to criminal investigations? Why is it that many organizations just have one security executive with no staff and hardly any budget to work with as just a figurehead in the organization? Several states and the federal government, have enacted or are now enacting tough laws, some of which carry severe penalties should a serious breach occur, including requirements of complete public disclosure to all the victims associated with the breach.
Never mind the mountains of lawsuits that can put a company out of business. This is what’s going on — many companies are revolting, but the laws are being enacted, and ignorance is not bliss. Doing more for less is not the answer. It is not good business to put an organization’s assets at risk — particularly in this economy where security staffs are depleted and not valued. This is not an area where businesses should be doing more with less. They should be doing the opposite to ensure their survival.
At the federal level, top information security specialists have been saying for years that our current infrastructure is at grave risk. Serious breaches have since occurred, and the government is now scrambling. Most of the agencies have been mobilized, and at least four of the national laboratories are in an all-out effort to combat breaches and prevent future ones. Billions of dollars were budgeted to upgrade and secure the nation’s infrastructure, and why was this? Because the same pattern keeps repeating itself. Security is ignored or pushed lower in priority until a crisis erupts and then there is a scramble to correct the problem.
While I am still gainfully employed, I also can say I have seen first hand this “effect” in many places over my time in the field of information security. I can also attest that in this climate companies are still very much trying to do more with less including security. Though much of the time they instead choose “security through obscurity” or outright ignorance as their way ahead.
Frankly, unless the government creates and imposes laws and large fines for data loss all too many companies are willing to sign off on the risks of compromise even if they are high and just hope for the best. At worst, there are companies with CIO’s who are just not cognizant at all about information security and instead focus all their attention on the financial bottom line and “customer satisfaction” instead.
Still worse, imagine the CIO or the CSO who knows the dangers and is forced to or chooses to ignore them to save the company money. In the end though, they all are likely to feel the sting of the hackers’ keyboard as they steal their data and perhaps their reputations.
So why is it that these companies and C level execs just fail to see or blind themselves to the dangers and work toward remediate them?
Greed?
Sloth?
Inability to grasp subtle concepts like hacking?
I really wonder…
Krypt3ia 