Posted on 12/20/2014 1:18:13 AM PST by Spktyr
Also, amusing picture of an apparently very upset Angelina Jolie with the idiot Sony executive lady whose liberal hypocrisy in emails has been exposed at the source link.
>> Ironically, the security evaluation was released in the hack group’s last data dump.
Ironic.
http://www.newsfactor.com/news/Sony--A-Studio-Ripe-for-Hacking/story.xhtml?story_id=103003JX4B3L
The stolen files expose lax Internet security practices inside Sony such as pasting passwords into emails, using easy-to-guess passwords and failing to encrypt especially sensitive materials such as confidential salary and revenue figures, strategic plans and medical information about some employees. Experts say such haphazard practices are common across corporate America.
"Most people who say they're not doing that are lying," said Jon Callas, co-founder and chief technology officer for Silent Circle Inc., a global encrypted-communications service.
The emails show CEO Michael Lynton routinely received copies of his passwords in unsecure emails for his and his family's mail, banking, travel and shopping accounts, from his executive assistant, David Diamond. Other emails included photocopies of U.S. passports and driver's licenses and attachments with banking statements. The stolen files made clear that Diamond was deeply trusted to remember passwords for Lynton and his family and provide them whenever needed.
This is typical of all corporations. For all kinds of reasons, security is not good.
So, the Republicans pulled off this hack??? :=)
Where I work, outgoing emails are scanned for possible passwords. If you are caught sending a password, any password, in email, the following happens:
Furthermore, password complexity is strictly enforced. Such things as Sonym13 would be disallowed.
Banks are the exception. The best security people end up banks, government, and companies like MS and Google.
Nah. Just more purposeful conflation by the American Pravda / Ministry of Propaganda.
How about the power companies that run our grid, pipelines, etc?
How about power companies?
I know from an industry insider that they are moving (though not nearly finished) to secure better. They are still, in places, a wide open fishbowl, but in other places have locked down well.
True that. You should see some of the online & inline security systems I've built the last seven years. We can do stateful packet inspection on-the-fly without slowing down application traffic and predict behaviors before they happen now.
I was recruited by DHS four years ago to run one of their data collection points (I won't say hwere...) but they simply did'nt pay enough and I don't consider it my "patriotic duty" to take a huge pay cut just to work for the gub'mint.
We do that over here. I got busted in 2011 for a packet from ShowMyPC that would have possibly allowed for remote computer access. I was severely reprimanded, and told that if they EVER see that packet again, and it is NOT from one of the two sanctioned groups, I would be escorted off the campus by Security.
I honestly didn't know I had violated until two grim-expressioned men showed up at my cubicle, within one hour of allowing an Ohio state government user to view my PC for instructions on how to use the system I wrote.
Thank God I was being 100% cool and was 100% honest about what happened. I still was severely reprimanded. And, I learned our guys peek at the packet level in real-time.
This practice pretty much ensures that people will write down the everchanging complex passwords somewhere near their workstation. Ripe for social engineering.
Freedom ≠ Free Stuff☭ | ||
I, for one, welcome our new Cybernetic Overlords /. | ||
|
I actually went ahead with it, because OTrauma was elected in 2008. I figured many businesses would go belly up. I was right, many of my peers ended up with pink slips when their firm shut down.
The downside is I am paid 40k less per year than I am worth in the open marketplace.
The upside is I am still working, and, having significant talent like I do, I am advancing to Architect role in 2015.
Go ahead. Try that stuff here.
I know someone fired for just that sort of thing.
Some of the stuff I've seen still RUNNING the power companies is downright scary.
I won't say which companies, however some of them are still running Windows NT 4.0 Servers running core functions at the power plant. Most of these servers are now virtualized to eliminate the problem of hardware failures however they're still not protected properly with multi-layer security (DMZ, Web, App, Core network zones) or multi-factor authentication systems to prevent unauthorized access.
BTW: Just last week I caught several Russian hackers using DNS spoofing through compromised South American, Netherlands and Spain based companies trying to hack into one of our public FTP Servers. They tried brute force SSH password cracking and executed over 59,000 brute force attempts in just over 3 minutes.
They didn't get in because we require matching certificates and dual-factor authentication for Internet exposed services and within their first 10 attempts (which happened in microseconds) I had an alert fired off and tracing programs already running to determine the true locations of the Russian hackers.
My own opinion based on the results I collected is that it was Russian State Sponsored hacking. It had to be due to its sophistication, the sheer volume of brute force password attempts in such a small amount of time, and the fact that the IP's traced back to Russian Government facilities.
Granted, I'm not supposed to say those things outside the bank and the FBI (who we work with on these things -- they're working with ALL the top tier banks directly) certainly wouldn't "approve" of my saying it.
I know it’s SFTP but still, can’t you autoblock an IP after X number of failed attempts? You wouldn’t necessarily slow throughput if you limited the filter to authentication. Once a channel was established, pass through the filter without incident.
Your public FTP is still SFTP, right?
Additionally all external/internet based access to the server requires a matching certificate AND secondary authentication which would include the combination of a PIN and random generated code that's good for 15 seconds.
All of our Internal access to those servers happens over a private switched network using virtual KVM's to enable console port (serial port) based access.
I developed the security requirements and control standards for our organization. They passed our own internal Risk and Audit folks as well as the Feds.
After the first of the year I'll be tightening things down further. At some point it'll make our Unix/Linux and Windows Admin's and Engineer's scream, but that's ok. My job is to protect the bank. No one gets through on my watch.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.