March 6th, 2005, 09:39 PM
Stupid Security Tricks
Stupid Security Tricks
This article is 9-days old but it’s kind of an IMPORTANT point in day-2-day SECURITY practices.
February 25, 2005
Wayne Rash: Stupid Security Tricks
By Wayne Rash
I'd just finished tying my shoes, and then looked up at the conveyor belt as the flood of personal items emerged from the X-ray machine. The security screeners at Washington-Dulles International Airport were trying their best to be helpful, but were clearly harried. One of them started to hand me an IBM ThinkPad as it came toward me, but it wasn't mine. I'd just placed my nearly identical laptop in my briefcase.
Then I saw something I couldn't believe. As the TSA guy put the laptop back into the gray plastic tray, I saw a piece of yellow paper attached to the surface. On it was a list of access numbers, user names and passwords, all neatly typed. Clearly, this computer was owned by someone who couldn't remember their login information. I wasn't surprised, considering that there were a half dozen logins written out.
That was alarming, but what happened next was even more alarming: I noticed that the owner of the computer had a government ID card around his neck, identifying him as working for an agency heavily involved with fighting terrorism. An attacker could compromise agency security simply by being fast with a camera phone, or just by remembering what he read.
You'd think that with all the focus on security, such things wouldn't happen. But if you think that, you'd think wrong. Despite all of warnings, people do still write down their passwords. Even so: attaching those passwords directly to the laptop is a new low.
That lapse was more obvious than usual, but no more stupid than usual. While there are limits to most types of human behavior, stupidity knows no bounds.
Simply avoiding stupidity can go a long way toward enhancing security on your system and network.
Source here - http://www.securitypipeline.com/60403728
Avoiding Stupid Security Errors
So how do you avoid stupid security errors? Ask yourself three questions every time you work with an asset that must be kept secure:
- Does the action I'm considering make sense? I was so interested in solving the problem with the server that I ignored my own normal practices. That was pretty stupid.
- Does the action I'm considering violate published security practices? Don't write down your passwords, much less the logon details and user names. Even a second's worth of thinking should have reminded the government employee that attaching the information to their laptop was a really stupid idea.
- Does the action take all aspects of security into account? The office server had a firewall, it required users to log in, and it was designed so that people could only get to information they needed to have access to. But if someone steals the computer, they can have their way with it, regardless of protections you've put into place. Forgetting about physical security was pretty stupid.
Kindly read the whole article, you’ll see. You’ll find the situations somewhat related to us or much more to the people around us.
March 6th, 2005, 11:39 PM
The problem here is really that the government, as an entity, doesn't hire the best. They hire the willing.... Those willing to sacrifice quality for 'toeing the line and collecting the benefits". Those that will take a little lower pay for "payola" in the twilight years. Those that know that a little work to get the job and a little work to keep it through the probationary period means that firing them is like an individual trying to extract the tooth of a Tyrannosaurus Rex, alone and without anasthetic.
That's the problem....Idiots with responsibility, no training and no consequences.
Did I just define Government?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 7th, 2005, 12:31 AM
Wow. Direct hit!
Idiots with responsibility, no training and no consequences
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 7th, 2005, 06:04 AM
and sometimes they over look the best do to silly rules... one example... fbi will not hire people with tattoos...
Learn like you are going to live forever, live like you are going to die tomorrow.
March 7th, 2005, 06:58 AM
Sometimes... reality bytes
There are also occasions when people with Proper Training “and/or” eXPerience can be idiots. It happens mostly in an organization where SENIOR guys were tired of doing what they are doing.
You know this, guys, I've been with people who only cares for the ticking clock ("8AM-5PM watcher" kind of guys). They believed that they are smart enough not to work anymore because of some reasons like "give it to the newbie, that's the reason you've hired them" or "Who's in-charge here? Me, right? So go on and work". These SENIORITY things I see everyday. And what pushes them to be stubborn or stupid were many factors, some include:
1. Underpaid – Even here at AO, you’ll hear these cries. Admins were overwork underpaid and became paranoid sometimes.
2. Under-development – career-wise, most of the Tech guys tends to stay as Tech guys longer because they are actually best at it, but the greenies were with the management positions, let’s say 10 Tech support and 1 Tech Manager. Not all can be the BIG guy. It’s just the reality in the Organization.
3. Ego.. Ego… Ego… Dam* like an Echo in the air.
TS, I agree with you about the idea that most people will shoot for an easier or lower job, because 1) currently either it is what fits them or 2) they don’t have any choice anymore. Temporary jobs may lead to 2 things only, finish-contract or renewal of contract and the loop.
I know this idea is not to threat people smaller since they are small, but better to encourage them to strive for the BIGGER FISH, for a better career. And one piece of note, “everybody starts low, mostly will aim high, some will achieve it, some won’t” - Why? Because they chose it, and then in the end, blaming the newbie for showing-off and taking their post. I guess that’s why more people are stupid or playing stupid. Reality bytes.
But going back to SECURITY, the issue of being stupid is somewhat related to not having a proper practice and losing a little sense called “common”. After several months of reading topics here in AO and finally joining this year, I am more aware of some DO’s and DON’T’s in securing things, especially my Box. And it helped me a lot, and gives me the drive to stay out of stupidity and learn more. Thanks AO! Really it helps...