Wow! That may be the best post I've ever read. It's like you do this for a living! :)
Mack S. Bolan On Fri, Mar 16, 2012 at 6:05 AM, Andrew S. Baker <[email protected]> wrote: > All great info, but so very totally out of context relative to the thread. > > - You posted about the relative security of passphrases > - Discussion ensured about this relative to traditional passwords > - People made various assertions to the need to continue protecting > against insider threats > - You post something which strongly suggests that insider threats are > not the threats we should be looking for > - People request clarification about your assertion, pointing out that > insider threats have not gone away > - You revert to form with classic discussion evasion and misdirection > tactics > > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Fri, Mar 16, 2012 at 12:18 AM, Kurt Buff <[email protected]> wrote: > >> Not really - the original article was interesting, and a good starting >> point for discussion. >> >> My point in response to Doug was not that the insider threat has >> disappeared but that the blanket statement that inside threats might no >> longer be dominant - something that I believe is probably true, with the >> rise organized crime and hactivism. >> >> >> Kurt >> >> On Thu, Mar 15, 2012 at 19:53, Andrew S. Baker <[email protected]> wrote: >> >>> It's not like insider threats have plummeted to 0. >>> >>> The fact is that most organizations do not need to call for external >>> infosec resources for insider threats. >>> >>> The Verizon security team dealt with ~855 cases worldwide. That's a >>> good sample side for obtaining data about specific attacks, but it's not so >>> large that its fully representative of the entire attack landscape. >>> >>> The discussion here was about passwords, which I hope you'd remember >>> considering you started it. Thus, within the context of the thread itself, >>> the focus is on the usefulness and viability of strong passwords whether in >>> the standard format, or as a passphrase. >>> >>> This other stuff you added is not really germane to the discussion, >>> unless your goal is simply to hijack your own thread. >>> >>> * * >>> >>> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >>> Technology for the SMB market… >>> >>> * >>> >>> >>> >>> On Thu, Mar 15, 2012 at 6:43 PM, Kurt Buff <[email protected]> wrote: >>> >>>> Perhaps you might want to rethink your threat model: >>>> >>>> http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232601717/new- >>>> verizon-breach-data-shows-outside-threat-dominated-2011.html >>>> >>>> On Thu, Mar 15, 2012 at 13:50, Doug Hampshire <[email protected]>wrote: >>>> >>>>> Are you sure about that? The vast majority of security incidents >>>>> happen on the inside of your network from known individuals. Also it was >>>>> addressing offline brute force attacks. Most online systems have lockout >>>>> policies and other countermeasures to limit exposure to brute force >>>>> attacks. >>>>> >>>>> On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott < >>>>> [email protected]> wrote: >>>>> >>>>>> I'd rather have "good" passwords written down on a sticky note >>>>>> accessible only to a limited number of coworkers than "bad" passwords >>>>>> that >>>>>> can be exploited by any black-hat on the internet. >>>>>> >>>>>> Sent from my Windows Phone >>>>>> ------------------------------ >>>>>> From: Heaton, Joseph@DFG >>>>>> Sent: 3/15/2012 11:07 AM >>>>>> To: NT System Admin Issues >>>>>> Subject: RE: Worth some consideration... >>>>>> >>>>>> >>>>>> Wait… I’m NOT supposed to write my password on a sticky note? How >>>>>> am I supposed to let my coworker use my login, then? >>>>>> >>>>>> >>>>>> >>>>>> Joe Heaton >>>>>> >>>>>> ITB – Windows Server Support >>>>>> >>>>>> >>>>>> >>>>>> *From:* Andrew S. Baker [mailto:[email protected]] >>>>>> *Sent:* Thursday, March 15, 2012 7:49 AM >>>>>> *To:* Heaton, Joseph@DFG; NT System Admin Issues >>>>>> *Subject:* Re: Worth some consideration... >>>>>> >>>>>> >>>>>> >>>>>> That's an implementation problem. >>>>>> >>>>>> >>>>>> >>>>>> If I choose a passphrase of "Mary had a little lamb" then of course >>>>>> that will be relatively weak as passphrases go. That that is not an >>>>>> inherent weakness of passphrases, but of people. >>>>>> >>>>>> >>>>>> >>>>>> Lots of things are undermined by poor choices. Completely random 20 >>>>>> character passwords with a unicode character set are undermined by having >>>>>> them posted on sticky notes. >>>>>> >>>>>> >>>>>> >>>>>> We didn't need a whole article to point that out. >>>>>> >>>>>> >>>>>> >>>>>> *ASB* >>>>>> >>>>>> *http://XeeMe.com/AndrewBaker* >>>>>> >>>>>> *Harnessing the Advantages of Technology for the SMB market…* >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <[email protected]> >>>>>> wrote: >>>>>> >>>>>> >>>>>> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >>>>>> >>>>>> By Dan Goodin >>>>>> Ars Technica >>>>>> March 14, 2012 >>>>>> >>>>>> Passwords that contain multiple words aren't as resistant as some >>>>>> researchers expected to certain types of cracking attacks, mainly >>>>>> because users frequently pick phrases that occur regularly in everyday >>>>>> speech, a recently published paper concludes. >>>>>> >>>>>> Security managers have long regarded passphrases as an >>>>>> easy-to-remember way to pack dozens of characters into the string that >>>>>> must be entered to access online accounts or to unlock private >>>>>> encryption keys. The more characters, the thinking goes, the harder it >>>>>> is for attackers to guess or otherwise crack the code, since there are >>>>>> orders of magnitude more possible combinations. >>>>>> >>>>>> But a pair of computer scientists from Cambridge University has found >>>>>> that a significant percentage of passphrases used in a real-world >>>>>> scenario were easy to guess. Using a dictionary containing 20,656 >>>>>> phrases of movie titles, sports team names, and other proper nouns, >>>>>> they were able to find about 8,000 passphrases chosen by users of >>>>>> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >>>>>> percent of the available accounts. The promise of passphrases' >>>>>> increased entropy, it seems, was undone by many users' tendency to >>>>>> pick phrases that are staples of the everyday lexicon. >>>>>> >>>>>> "Our results suggest that users aren't able to choose phrases made of >>>>>> completely random words, but are influenced by the probability of a >>>>>> phrase occurring in natural language," researchers Joseph Bonneau and >>>>>> Ekaterina Shutova wrote in the paper (PDF), which is titled >>>>>> "Linguistic properties of multi-word passphrases." "Examining the >>>>>> surprisingly weak distribution of phrases in natural language, we can >>>>>> conclude that even 4-word phrases probably provide less than 30 bits >>>>>> of security which is insufficient against offline attack," the paper >>>>>> says. >>>>>> >>>>>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
