All great info, but so very totally out of context relative to the thread. - You posted about the relative security of passphrases - Discussion ensured about this relative to traditional passwords - People made various assertions to the need to continue protecting against insider threats - You post something which strongly suggests that insider threats are not the threats we should be looking for - People request clarification about your assertion, pointing out that insider threats have not gone away - You revert to form with classic discussion evasion and misdirection tactics
* * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Fri, Mar 16, 2012 at 12:18 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > Not really - the original article was interesting, and a good starting > point for discussion. > > My point in response to Doug was not that the insider threat has > disappeared but that the blanket statement that inside threats might no > longer be dominant - something that I believe is probably true, with the > rise organized crime and hactivism. > > Kurt > > On Thu, Mar 15, 2012 at 19:53, Andrew S. Baker <asbz...@gmail.com> wrote: > >> It's not like insider threats have plummeted to 0. >> >> The fact is that most organizations do not need to call for external >> infosec resources for insider threats. >> >> The Verizon security team dealt with ~855 cases worldwide. That's a good >> sample side for obtaining data about specific attacks, but it's not so >> large that its fully representative of the entire attack landscape. >> >> The discussion here was about passwords, which I hope you'd remember >> considering you started it. Thus, within the context of the thread itself, >> the focus is on the usefulness and viability of strong passwords whether in >> the standard format, or as a passphrase. >> >> This other stuff you added is not really germane to the discussion, >> unless your goal is simply to hijack your own thread. >> >> * * >> >> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >> Technology for the SMB market… >> >> * >> >> >> >> On Thu, Mar 15, 2012 at 6:43 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >>> Perhaps you might want to rethink your threat model: >>> >>> http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232601717/new- >>> verizon-breach-data-shows-outside-threat-dominated-2011.html >>> >>> On Thu, Mar 15, 2012 at 13:50, Doug Hampshire <dhampsh...@gmail.com>wrote: >>> >>>> Are you sure about that? The vast majority of security incidents >>>> happen on the inside of your network from known individuals. Also it was >>>> addressing offline brute force attacks. Most online systems have lockout >>>> policies and other countermeasures to limit exposure to brute force >>>> attacks. >>>> >>>> On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott <crawfo...@evangel.edu >>>> > wrote: >>>> >>>>> I'd rather have "good" passwords written down on a sticky note >>>>> accessible only to a limited number of coworkers than "bad" passwords that >>>>> can be exploited by any black-hat on the internet. >>>>> >>>>> Sent from my Windows Phone >>>>> ------------------------------ >>>>> From: Heaton, Joseph@DFG >>>>> Sent: 3/15/2012 11:07 AM >>>>> To: NT System Admin Issues >>>>> Subject: RE: Worth some consideration... >>>>> >>>>> >>>>> Wait… I’m NOT supposed to write my password on a sticky note? How >>>>> am I supposed to let my coworker use my login, then? >>>>> >>>>> >>>>> >>>>> Joe Heaton >>>>> >>>>> ITB – Windows Server Support >>>>> >>>>> >>>>> >>>>> *From:* Andrew S. Baker [mailto:asbz...@gmail.com] >>>>> *Sent:* Thursday, March 15, 2012 7:49 AM >>>>> *To:* Heaton, Joseph@DFG; NT System Admin Issues >>>>> *Subject:* Re: Worth some consideration... >>>>> >>>>> >>>>> >>>>> That's an implementation problem. >>>>> >>>>> >>>>> >>>>> If I choose a passphrase of "Mary had a little lamb" then of course >>>>> that will be relatively weak as passphrases go. That that is not an >>>>> inherent weakness of passphrases, but of people. >>>>> >>>>> >>>>> >>>>> Lots of things are undermined by poor choices. Completely random 20 >>>>> character passwords with a unicode character set are undermined by having >>>>> them posted on sticky notes. >>>>> >>>>> >>>>> >>>>> We didn't need a whole article to point that out. >>>>> >>>>> >>>>> >>>>> *ASB* >>>>> >>>>> *http://XeeMe.com/AndrewBaker* >>>>> >>>>> *Harnessing the Advantages of Technology for the SMB market…* >>>>> >>>>> >>>>> >>>>> On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <kurt.b...@gmail.com> >>>>> wrote: >>>>> >>>>> >>>>> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >>>>> >>>>> By Dan Goodin >>>>> Ars Technica >>>>> March 14, 2012 >>>>> >>>>> Passwords that contain multiple words aren't as resistant as some >>>>> researchers expected to certain types of cracking attacks, mainly >>>>> because users frequently pick phrases that occur regularly in everyday >>>>> speech, a recently published paper concludes. >>>>> >>>>> Security managers have long regarded passphrases as an >>>>> easy-to-remember way to pack dozens of characters into the string that >>>>> must be entered to access online accounts or to unlock private >>>>> encryption keys. The more characters, the thinking goes, the harder it >>>>> is for attackers to guess or otherwise crack the code, since there are >>>>> orders of magnitude more possible combinations. >>>>> >>>>> But a pair of computer scientists from Cambridge University has found >>>>> that a significant percentage of passphrases used in a real-world >>>>> scenario were easy to guess. Using a dictionary containing 20,656 >>>>> phrases of movie titles, sports team names, and other proper nouns, >>>>> they were able to find about 8,000 passphrases chosen by users of >>>>> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >>>>> percent of the available accounts. The promise of passphrases' >>>>> increased entropy, it seems, was undone by many users' tendency to >>>>> pick phrases that are staples of the everyday lexicon. >>>>> >>>>> "Our results suggest that users aren't able to choose phrases made of >>>>> completely random words, but are influenced by the probability of a >>>>> phrase occurring in natural language," researchers Joseph Bonneau and >>>>> Ekaterina Shutova wrote in the paper (PDF), which is titled >>>>> "Linguistic properties of multi-word passphrases." "Examining the >>>>> surprisingly weak distribution of phrases in natural language, we can >>>>> conclude that even 4-word phrases probably provide less than 30 bits >>>>> of security which is insufficient against offline attack," the paper >>>>> says. >>>>> >>>>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
