On Tue, Oct 5, 2010 at 4:19 PM, Bart Silverstrim <[email protected]>wrote:
> Honestly it would be a lot easier just to offer the user a candy bar for > their password (google for the reference if you didn't know about it) > There are things one can do to reduce the fear of password sharing, but it all boils down to end user education. That's exactly why I solved the original query I had with technology, not (as one early suggestion was) telling people to turn it off themselves. It's absurd to rely on end users if a relatively simple solution exists. > Sometimes reading the paranoia from some companies is like listening in on > a game of IT Clue. I get into their salary spreadsheet, using an XBox > running Linux, hooked into a drop in an unused closet, which uploads a worm > into their printer server with outdated firmware, then BAM! It emails me > their print jobs! > I think a laptop connecting to an appropriately named access point (be it one that matches a company run one by a targeted attacker, or something like linksys or netgear) is much more likely than sneaking in a modded xBox into a physical location, looking for unpatched things on non-PC related equipment. > Nothing on you in particular, I just think that sometimes companies go out > of their way for wacky scenarios that really shouldn't be much of a concern > in the first place while leaving open other more obvious routes of > penetration, and forgetting their biggest security weakness is their users. > The description you're giving is that the user will associate their Mac with > a common AP, the attacker then targets that machine with an OS X exploit to > get rooted, then implant a trojan that then attacks the wired network > for...known files? Spreading a worm? Hopping shares as a user whose > credentials they'd still have to steal, assuming the hacked laptop still > needs to have something steal the credentials of someone who has access to > the protected network and not just the local laptop credentials... > How could it be "on me"? I'm not the braniac, I'm the person solving the need. One can't ignore a PCI auditor's request AND expect to be PCI compliant. > All possible but you'd have to be a pretty good target to have someone > gunning for you like that. Or be stupid enough to take your laptop to > Defcon. > SOME of my clients wouldn't be bad targets. Most are too mundane to care about. But again, if you are required to pass a PCI audit, you can't answer by saying "ehh, who would want our crap anyway". PS: This client runs enough WiFi and processed enough credit cards to absolutely have to give things like this 'passing thought'. The alternative would be the type of lock down that you'd just be complaining that companies lock down everything and ruin end user productivity. > Meanwhile, other actual blackhats just call the user pretending to be the > help desk and just ask them for a username and password to troubleshoot a > problem with the flux capacison marangue server so they can push Windows > updates to the users's workstation. And offer them a chocolate bar. > Again, only repeated notifications never to give your password out via phone or email, and repeated reminders that the help desk will never ask for a password can solve a non-technological problem. PS: I always thought offering a reward of a day off or maybe a $250 bounty for turning in any help desk person who DOES ask for a password might stop things pretty quickly. :) > Oh well. Fun times. > Without bugs, hackers, hardware crashes and stupid end users, would I really be employed? I'm glad for the headaches. _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
