[SGVLUG] security breeches by chinese
Emerson, Tom (*IC)
Tom.Emerson at wbconsultant.com
Mon Mar 30 11:26:47 PDT 2009
> -----Original Message----- Of matti
[...]
> Vast Spy System Loots Computers in 103 Countries
...
and
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html
Interesting line from the abstract:
"The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge."
Personally, I think they could easily strike "in government agencies" from this as this applies equally to the private sector as well -- in fact, the last time my password expired here, the "rules" for new passwords changed to include not only letters and numbers, but SYMBOLS as well -- that makes it "tiresome" to the point where more people have resorted to post-it's for password storage...
Although it does increase the pool of characters /typically/ used for passwords by about 30, and it is admittedly less expensive than providing everyone with a securid card/key-fob, it really only hinders shoulder-surfers -- if an intruder manages to get their malware installed by "social" means, it doesn't matter how complex you make your password "rules" -- a keylogger will reveal all... (it doesn't really change things for those that "brute force" a password as they should already be selecting from that pool of characters as well)
While training the users to be more proactive about security may help, (in particular, the "value" of documents people deal with where they work), it's the "social hacking" aspect of this that's the killer -- after all, look at how this thread started: Matti mistyped "breeches" instead of "breaches", and I'll bet more that half of you didn't even notice [in fact, I'll bet half them that "didn't notice" didn't even READ the title and just clicked "read next message" in their client] OTOH, bugmenot/buymenot may have been noticed by more folks :)
My point here is that an intentional spelling error in a URL of a popular site could even catch people on this list -- especially for lookalike characters (I/1/l, O/0, q/g, and so on -- "fancier" [GUI] mail readers may actally make things worse depending on the "default" font used)
More information about the SGVLUG
mailing list