Quite. Another reason I continue to respect and support LastPass. - Will
On Fri, Jun 8, 2012 at 11:18 AM, Andrew S. Baker <[email protected]> wrote: > That's very cool indeed... > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Fri, Jun 8, 2012 at 11:23 AM, Free, Bob <[email protected]> wrote: > >> Maybe I missed this during this discussion because I’ve been Deaning >> harshly due to vacation return but I thought this was a very cool way to >> test if password hashes were in that table that’s now floating around or to >> demonstrate to folks what is actually in a table of >6M real passwords.** >> ** >> >> ** ** >> >> A white hat “pass-the-hash” if you will J**** >> >> ** ** >> >> ** ** >> >> https://lastpass.com/linkedin/**** >> >> ** ** >> >> ** ** >> >> ** ** >> >> ** ** >> >> ** ** >> >> *From:* Andrew S. Baker [mailto:[email protected]] >> *Sent:* Thursday, June 07, 2012 6:25 PM >> >> *To:* NT System Admin Issues >> *Subject:* [dkim-failure] Re: To notify, or not notify (LinkedIn)**** >> >> ** ** >> >> Exactly. LinkedIn goes way beyond "online resume site."**** >> >> ** ** >> >> Oh, and don't forget about authentication to other sites. >> **** >> >> *ASB***** >> >> *http://XeeMe.com/AndrewBaker***** >> >> *Harnessing the Advantages of Technology for the SMB market…***** >> >> >> >> **** >> >> On Thu, Jun 7, 2012 at 11:32 AM, Ziots, Edward <[email protected]> >> wrote:**** >> >> Actually the emails and passwords in linked in, and the information you >> have posted about yourself has a lot of value (spear-phishing attacks, >> company reputation hit ( use your accounts to spread stuff on linked in >> about your company or other companies in a negative light) I could go on >> with the scenario but you definitely don’t want to be a target on that. >> (Grounds for termination, etc)**** >> >> **** >> >> Z**** >> >> **** >> >> Edward Ziots**** >> >> CISSP, Security +, Network +**** >> >> Security Engineer**** >> >> Lifespan Organization**** >> >> [email protected]**** >> >> **** >> >> *From:* David Lum [mailto:[email protected]] >> *Sent:* Thursday, June 07, 2012 11:14 AM**** >> >> >> *To:* NT System Admin Issues**** >> >> *Subject:* FW: To notify, or not notify (LinkedIn)**** >> >> **** >> >> Here’s the discussion this morning with one of our Service Desk guys.**** >> >> **** >> >> _____________________________________________ >> >> *Sent:* Thursday, June 07, 2012 7:48 AM >> *To:* David Lum >> *Subject:* RE: To notify, or not notify (LinkedIn)**** >> >> **** >> >> David, this is *EXACTLY* what I was looking for. Thank you very much!*** >> * >> >> **** >> >> No more comments from the peanut gallery here. J**** >> >> _____________________________________________ >> *From:* David Lum >> *Sent:* Thursday, June 07, 2012 7:45 AM >> *Subject:* RE: To notify, or not notify (LinkedIn)**** >> >> **** >> >> Good questions!**** >> >> **** >> >> - How do we make the decision about what gets set out and what doesn’t >> **** >> >> Experience – it’s part of why our wages are a far more than >> minimum-wage - we’re paid to think, not just fill in checkboxes. For >> something more concrete: “if it's business-oriented and heavily used by >> said business then a notification should go out, if not, then no”. If in >> doubt: Ask. There was discussion between three departments that happened >> before the LinkedIn notice was sent out, for example.**** >> >> **** >> >> - Do we have a clearly defined idea of where it ends**** >> >> I do, see above.**** >> >> **** >> >> - Several users are utilizing Dropbox and putting company >> property/product on that site. If it was hacked, that would be a lot >> worse >> than losing your “online resume” from LinkedIn, in my opinion. **** >> >> If so then I would hope that if you heard about Dropbox passwords being >> posted on the Internet that you would want to send out a note to the org, >> right? On the other hand this is one reason we DON’T want users using >> Google, Dropbox, etc for corporate business – we don’t have control of the >> security. This is one area that most employees seem to grasp…**** >> >> **** >> >> - Is Service Desk expected to field calls regarding non-NWEA items >> (LinkedIn for example)**** >> >> If it’s about communications **we** send out, then yes. If we know what >> we’re doing (and we do) it should be trivial to respond to these. It’s our >> job to support our staff, even if some things are beyond our direct control. >> **** >> >> **** >> >> - Do we need to survey the Org and find a “list” of all the business >> related apps/sites and actively monitor them?**** >> >> No, we’re paid to understand and know our environment. If we don’t know >> the majority of what’s on users’ machines and what websites are commonly >> used by our staff then we’re not doing our job. Do we know EVERY site they >> use? No. The key phrase is “commonly used”.**** >> >> **** >> >> Dave**** >> >> _____________________________________________ >> >> *Sent:* Thursday, June 07, 2012 7:23 AM >> *To:* David Lum >> *Subject:* RE: To notify, or not notify (LinkedIn)**** >> >> **** >> >> **** >> >> David,**** >> >> Thank you for your follow up and feeling concerned about our reaction. >> Let me state, I wasn’t upset with the decision, I think what you did was a >> good thing. Here’s the angle I am coming from:**** >> >> **** >> >> - How do we make the decision about what gets set out and what doesn’t >> **** >> - Is Service Desk expected to field calls regarding non-NWEA items >> (LinkedIn for example)**** >> >> **** >> >> I am not trying to knock the fact we sent it out, even if I was acting in >> a joking manor yesterday. What I am trying to do is play the other side >> and ask questions that I feel really do need to be asked. Where do we >> stop? Yesterday when we were all talking, Dropbox was tossed out and it >> didn’t seem to get the same response as LinkedIn. Several users are >> utilizing Dropbox and putting company property/product on that site. If it >> was hacked, that would be a lot worse than losing your “online resume” from >> LinkedIn, in my opinion. **** >> >> >> So what I am trying to drill down to is; how do we make these decisions, >> how do we support this when they happen and do we need to survey the Org >> and find a “list” of all the business related apps/sites and actively >> monitor them?**** >> >> **** >> >> And if all this is “above my pay grade” , then disregard my 7:00 am >> rambling J**** >> >> **** >> >> >> ** >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
