Re: For your reading pleasure

[Jonathan Link]

You can synthesize all you said in one simple sentence; It's a business
decision.  I get that, I don't need a lecture on how it's justified for a
particular business.  It's like in Fight Club, " Take the number of
vehicles in the field, *A*, multiply by the probable rate of failure, *B*,
multiply by the average out-of-court settlement, *C*. *A* times *B* times *C
* equals *X*. If *X* is less than the cost of a recall, we don't do one."
Doesn't mean I, as a consumer don't have a right to complain.  Doesn't mean
that I as an IT professional don't have a right to critique what is
perceived to be a poor authentication system.  It might, for you and your
business, make sense and I understand that.  Allow me to rail against it,
and you can justify a position all you'd like.  All environments have
limitations and workarounds, small environments may not have enough money
to encrypt computers, for example, but they should if they are dealing with
sensitive personal information.

I, as an end user, don't care how much a bank spent on their core banking
system.  I only care on what's presented to me, and I only care if that
bank has a breach and loses my money or personal information.  I'm not
going to say that a weak authentication system is the problem, but it
certainly doesn't give me a warm and fuzzy feeling about the bank when a
breach does happen.

Speaking on the debit card issue: debit cards employ a two factor
authentication system.  Something you have and something you know.  So, if
I lose my debit card, I call the bank and tell them and they kill the cards
access.  If I forget my pin they (hopefully) verify my identity and issue a
new pin or allow me to set it.  The only issue is when I use my card at an
untrusted ATM that skims my card and harvests my PIN.  To that end, to
protect myself, I use my card very rarely and rely on a credit card.  But
this is an issue solved by the user, and the bank does have some interest
in educating the user to be cognizant of the threats to PIN harvesting and
skimming.  I remember the early days where online banking at a particular
bank used my ATM/debit card PIN.  I did not have a warm fuzzy feeling from
that bank.  Interestingly many credit card sites allow for complex
passwords.  Maybe because that business is uncoupled from traditional
banking?  I don't know, but it is interesting.


On Thu, Aug 16, 2012 at 7:49 AM, Ken Schaefer  wrote:

>  Kurt said that piece – I was trying to summarise the overall content of
> the thread to date – I wasn’t trying to state you said everything.
> Specifically I wrote: I’m stating that the contentions *being put forward
> by others*…
>
> ** **
>
> To be honest, enterprise environments have lots of limitations and
> workarounds that you don’t understand until you work in one. It can be
> really hard to implement what otherwise looks to be really simple or
> reasonable. And change works at a completely different pace.
>
> ** **
>
> For example core banking systems are a once-in-a-generation change. CBA
> recently completed one – I believe the cost was around half a billion
> dollars, and took four years. That type of investment is going to be around
> for many years (probably decades) to come, unless the bank merges or
> similar.
>
> ** **
>
> So, thinking back to the thread earlier about hotel door locks, and the
> requirements of designing systems or products today, for the requirements
> of 10 years from now – it’s really difficult. Or really expensive.
>
> ** **
>
> How long have >15 character passwords been in vogue? 3-4 years? When
> you’re talking about investment on a decade+ scale, then sometimes it take
> a while for everything to catch up. So, that’s why banks have lots of other
> systems to detect fraud, break ins, parallel authentication systems. As I
> asked before: if there was a 3 attempt lockout, then your money’s probably
> safe. You might get locked out by a DOS, but it’s unlikely that an attacker
> can get through even a 4 or 6 character key space with that type of setting
> in place.
>
> ** **
>
> And to think: most debit and credit cards only have 4 character PINS – a
> much smaller key space. Do all your cards have smart cards embedded? If
> not, why aren’t you worried about that more?
>
> ** **
>
> Cheers
>
> Ken
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Thursday, 16 August 2012 1:19 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: For your reading pleasure
>
> ** **
>
> I didn't call them idiots, even though you quoted that. Someone else may
> have, but you were responding to me. I find the patchwork method of
> securing bank systems to be poorly thought out an

RE: For your reading pleasure

[Ken Schaefer]

Kurt said that piece - I was trying to summarise the overall content of the 
thread to date - I wasn't trying to state you said everything. Specifically I 
wrote: I'm stating that the contentions being put forward by others...

To be honest, enterprise environments have lots of limitations and workarounds 
that you don't understand until you work in one. It can be really hard to 
implement what otherwise looks to be really simple or reasonable. And change 
works at a completely different pace.

For example core banking systems are a once-in-a-generation change. CBA 
recently completed one - I believe the cost was around half a billion dollars, 
and took four years. That type of investment is going to be around for many 
years (probably decades) to come, unless the bank merges or similar.

So, thinking back to the thread earlier about hotel door locks, and the 
requirements of designing systems or products today, for the requirements of 10 
years from now - it's really difficult. Or really expensive.

How long have >15 character passwords been in vogue? 3-4 years? When you're 
talking about investment on a decade+ scale, then sometimes it take a while for 
everything to catch up. So, that's why banks have lots of other systems to 
detect fraud, break ins, parallel authentication systems. As I asked before: if 
there was a 3 attempt lockout, then your money's probably safe. You might get 
locked out by a DOS, but it's unlikely that an attacker can get through even a 
4 or 6 character key space with that type of setting in place.

And to think: most debit and credit cards only have 4 character PINS - a much 
smaller key space. Do all your cards have smart cards embedded? If not, why 
aren't you worried about that more?

Cheers
Ken

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Thursday, 16 August 2012 1:19 PM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

I didn't call them idiots, even though you quoted that. Someone else may have, 
but you were responding to me. I find the patchwork method of securing bank 
systems to be poorly thought out and far too limiting to me as an end user.  I 
want and like having my password be of some size in excess of 15 characters, 
using numbers and special characters as I would like.  Is that such an 
unreasonable request?

On Wednesday, August 15, 2012, Ken Schaefer wrote:
I thought this was a serious conversation. But apparently it's not. Maybe it's 
time to go back to being indignant and carrying around pitchforks.

Cheers
Ken

From: Jonathan Link 
[mailto:jonathan.l...@gmail.com]
Sent: Wednesday, 15 August 2012 11:46 PM
To: NT System Admin Issues
Subject: Re: For your reading pleasure



Because I'm an idiot.





On Wed, Aug 15, 2012 at 9:22 AM, Ken Schaefer 
mailto:k...@adopenstatic.com>> wrote:

I'm not saying that "banks are secure"



I'm stating that the contentions being put forward by others are not supported 
by evidence we have before us. Namely "my bank has password requirements less 
than what I have at work - they allow only 8 characters and don't allow 
Unicode. Therefore they are insecure and the people working on them are 
idiots". The latter conclusion is not supported by the prior statement - for 
reasons I am giving. But I am not stating that banks are secure.



Also, why do you think "admin" accounts only have 8 character passwords? Or 
that these are even exposed to external access?



Cheers

Ken



From: Jonathan Link 
[mailto:jonathan.l...@gmail.com]<mailto:[mailto:jonathan.l...@gmail.com]>
Sent: Wednesday, 15 August 2012 11:06 PM

To: NT System Admin Issues
Subject: Re: For your reading pleasure



Passwords are a part of security for everyone.  It is likely that 
administrative access to that customer system is also limited to an 8 character 
password.  So as a hacker, I don't go after an individual customer account, I 
go after the admin account.  Woo hoo, I can now reset passwords on all the 
accounts for some period of time.



In any event, the argument you present against forcing complex passwords also 
stands true for frequent password changes which is a technique banks also 
employ.  Just because a bank has a measured and layered approach to security in 
other areas and they ignore the customer part of it (including education) 
doesn't mean that they are "secure."



On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer 
mailto:k...@adopenstatic.com>> wrote:

Personal customer passwords for online banking are only a very small part of 
the security systems a bank has. Just because passwords aren't as complex as 
you would like, it doesn't follow that banks are not secure.

Additionally, forcing overly complex passwords can also, sometimes, decrease 
security because people forget them more often, or write them down insecurely, 
or similar stuff.



~ Fin

Re: For your reading pleasure

[Jonathan Link]

I didn't call them idiots, even though you quoted that. Someone else may
have, but you were responding to me. I find the patchwork method of
securing bank systems to be poorly thought out and far too limiting to me
as an end user.  I want and like having my password be of some size in
excess of 15 characters, using numbers and special characters as I would
like.  Is that such an unreasonable request?

On Wednesday, August 15, 2012, Ken Schaefer wrote:

>  I thought this was a serious conversation. But apparently it’s not.
> Maybe it’s time to go back to being indignant and carrying around
> pitchforks.
>
> ** **
>
> Cheers
>
> Ken
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com  'cvml', 'jonathan.l...@gmail.com');>]
> *Sent:* Wednesday, 15 August 2012 11:46 PM
> *To:* NT System Admin Issues
> *Subject:* Re: For your reading pleasure
>
> ** **
>
> Because I'm an idiot.
>
> ** **
>
> ** **
>
> On Wed, Aug 15, 2012 at 9:22 AM, Ken Schaefer 
> wrote:
>
> I’m not saying that “banks are secure”
>
>  
>
> I’m stating that the contentions being put forward by others are not
> supported by evidence we have before us. Namely “my bank has password
> requirements less than what I have at work – they allow only 8 characters
> and don’t allow Unicode. Therefore they are insecure and the people working
> on them are idiots”. The latter conclusion is not supported by the prior
> statement – for reasons I am giving. But I am not stating that banks are
> secure.
>
>  
>
> Also, why do you think “admin” accounts only have 8 character passwords?
> Or that these are even exposed to external access?
>
>  
>
> Cheers
>
> Ken****
>
>  ****
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Wednesday, 15 August 2012 11:06 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: For your reading pleasure
>
>  
>
> Passwords are a part of security for everyone.  It is likely that
> administrative access to that customer system is also limited to an 8
> character password.  So as a hacker, I don't go after an individual
> customer account, I go after the admin account.  Woo hoo, I can now reset
> passwords on all the accounts for some period of time.
>
>  
>
> In any event, the argument you present against forcing complex passwords
> also stands true for frequent password changes which is a technique banks
> also employ.  Just because a bank has a measured and layered approach to
> security in other areas and they ignore the customer part of it (including
> education) doesn't mean that they are "secure."
>
>  
>
> On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer 
> wrote:
>
> Personal customer passwords for online banking are only a very small part
> of the security systems a bank has. Just because passwords aren’t as
> complex as you would like, it doesn’t follow that banks are not secure. **
> **
>
> Additionally, forcing overly complex passwords can also, sometimes,
> decrease security because people forget them more often, or write them down
> insecurely, or similar stuff.
>
>  
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com 'cvml', 'listmana...@lyris.sunbeltsoftware.com');>
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: For your reading pleasure

[Ziots, Edward]

You aren't an idiot Jonathan, 

 

Trust me if you digged deep enough there is going to be some
bank/webpage that will have an SQL Injection or XSS flaw, that might
allow bypass of the entire authentication process itself.  But that
might be going too far down the rabbit whole of possibilities but for
the hackers its definitely something that will be used and abused if
they can find these type of OWASP top 10 flaws on a banking site. 

 

EZ

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Wednesday, August 15, 2012 9:46 AM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

 

Because I'm an idiot.

 

 

On Wed, Aug 15, 2012 at 9:22 AM, Ken Schaefer 
wrote:

I'm not saying that "banks are secure"

 

I'm stating that the contentions being put forward by others are not
supported by evidence we have before us. Namely "my bank has password
requirements less than what I have at work - they allow only 8
characters and don't allow Unicode. Therefore they are insecure and the
people working on them are idiots". The latter conclusion is not
supported by the prior statement - for reasons I am giving. But I am not
stating that banks are secure.

 

Also, why do you think "admin" accounts only have 8 character passwords?
Or that these are even exposed to external access?

 

Cheers

Ken

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Wednesday, 15 August 2012 11:06 PM


To: NT System Admin Issues
Subject: Re: For your reading pleasure

 

Passwords are a part of security for everyone.  It is likely that
administrative access to that customer system is also limited to an 8
character password.  So as a hacker, I don't go after an individual
customer account, I go after the admin account.  Woo hoo, I can now
reset passwords on all the accounts for some period of time.

 

In any event, the argument you present against forcing complex passwords
also stands true for frequent password changes which is a technique
banks also employ.  Just because a bank has a measured and layered
approach to security in other areas and they ignore the customer part of
it (including education) doesn't mean that they are "secure."

 

On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer 
wrote:

Personal customer passwords for online banking are only a very small
part of the security systems a bank has. Just because passwords aren't
as complex as you would like, it doesn't follow that banks are not
secure. 

Additionally, forcing overly complex passwords can also, sometimes,
decrease security because people forget them more often, or write them
down insecurely, or similar stuff.

 

If an online banking password is 8 characters, and there's an account
lockout after three failed attempts, does it mean that the system is
"insecure"?

 

Cheers

Ken 

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Wednesday, 15 August 2012 9:55 PM


To: NT System Admin Issues
Subject: Re: For your reading pleasure

 

Just to help drive the point home, I have been asked by Directors in our
organization why we have such long passwords when their banks don't
require it or even prevent it.  There is a perception in the laity, for
lack of a better word, that because banks deal with money that they are
"secure."

On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff  wrote:

On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
wrote:
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Subject: Re: For your reading pleasure
>
>>> AND most bank passwords are case-insensitive, to make things worse.
>>
>>And won't let you put in spaces or other punctuation, either.
>>
>>I detect a complete absence of cognition on the part of the designers
of these systems.
>>
>>Kurt
>
> Really?

Yes.


> We're the only ones here that read web pages about security best
practises, or attend events or read books?

No, but some of those banks have certainly missed the boat - the ones
that don't allow long passwords or non-alphnumeric characters in their
web passwords for sure, and probably even a few who have covered those
bases.


>The IT guys at banks never went to Uni, are all ignoramuses and banks
have never hired a security officer or architect ever?

Going to Uni != intelligence, nor does having the title of security
officer or architect.


> By all means, keep up pressure on organisations to lift their game.
But I think it's grossly unfair
> to impugn people personally for this issue, and particularly for the
offence you have listed.

I don't. If we don't call them on their $#!+, they won't change.
Whether it's the IT staff or the executives, someone in the org is
mal/mis/non-fe

RE: For your reading pleasure

[Ziots, Edward]

Honestly at one time or another everyone would be on that wall of
Shame.. just don't be on the wall of "Sheep" at Blackhat in Vegas.. That
is one list you don't want to be shown on... 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Chinnery, Paul [mailto:pa...@mmcwm.com] 
Sent: Wednesday, August 15, 2012 8:27 AM
To: NT System Admin Issues
Subject: RE: For your reading pleasure

 

Maybe banks need a  "Wall of Shame" like us healthcare providers.

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Wednesday, August 15, 2012 8:07 AM
To: NT System Admin Issues
Subject: RE: For your reading pleasure

 

In some business perception is the truth, no matter what the real truth
might be. Just because banks, deal with money does not make them secure,
they are just bigger targets, which speaks to Ken's comment earlier
about the awareness of threats, because they are dealing with it 24x7
and a breach for them will cost them a lot of $$. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Wednesday, August 15, 2012 7:55 AM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

 

Just to help drive the point home, I have been asked by Directors in our
organization why we have such long passwords when their banks don't
require it or even prevent it.  There is a perception in the laity, for
lack of a better word, that because banks deal with money that they are
"secure."

On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff  wrote:

On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
wrote:
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Subject: Re: For your reading pleasure
>
>>> AND most bank passwords are case-insensitive, to make things worse.
>>
>>And won't let you put in spaces or other punctuation, either.
>>
>>I detect a complete absence of cognition on the part of the designers
of these systems.
>>
>>Kurt
>
> Really?

Yes.


> We're the only ones here that read web pages about security best
practises, or attend events or read books?

No, but some of those banks have certainly missed the boat - the ones
that don't allow long passwords or non-alphnumeric characters in their
web passwords for sure, and probably even a few who have covered those
bases.


>The IT guys at banks never went to Uni, are all ignoramuses and banks
have never hired a security officer or architect ever?

Going to Uni != intelligence, nor does having the title of security
officer or architect.


> By all means, keep up pressure on organisations to lift their game.
But I think it's grossly unfair
> to impugn people personally for this issue, and particularly for the
offence you have listed.

I don't. If we don't call them on their $#!+, they won't change.
Whether it's the IT staff or the executives, someone in the org is
mal/mis/non-feasant, and I don't care at which level it happened.


> From what I can gather most people on this list work in small
environments, and mostly for non-commercial organisations - the types of
places were IT is relatively simple and there aren't a lot of
constraints, interoperability or legacy systems to work with.

And the budgets are far smaller. Larger institutions should plan out
their web presence before launch, and it's painfully obvious that some
haven't.


> In any case, having worked in three different countries to-date, my
personal experience of banking is that:
> a) some banks implement additional password systems, to complement
whatever their legacy system is.
> This could take the form of an additional logon after your main logon.
This would allow a bank to implement
> a new, up-to-date, user authentication system to sit next to their
legacy one

And some don't.


> b) some banks implement 2FA: every bank in Singapore (for example)
issues tokens to customers and also
> provides the option for SMS based one-time PINs

And some don't.


> I strongly believe that IT in banks (at least in the developed world)
are just as, or far more aware, of threats than we are.

Sometimes yes, but on the evidence, sometimes no. It's why I left my
most recent credit union for a better one, with stronger login
security for their web presence. I didn't want their problem to be my
problem. I also know that some banks are no better.

Kurt


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscr

Re: For your reading pleasure

[Jonathan Link]

Because I'm an idiot.


On Wed, Aug 15, 2012 at 9:22 AM, Ken Schaefer  wrote:

>  I’m not saying that “banks are secure”
>
> ** **
>
> I’m stating that the contentions being put forward by others are not
> supported by evidence we have before us. Namely “my bank has password
> requirements less than what I have at work – they allow only 8 characters
> and don’t allow Unicode. Therefore they are insecure and the people working
> on them are idiots”. The latter conclusion is not supported by the prior
> statement – for reasons I am giving. But I am not stating that banks are
> secure.
>
> ** **
>
> Also, why do you think “admin” accounts only have 8 character passwords?
> Or that these are even exposed to external access?
>
> ** **
>
> Cheers
>
> Ken
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Wednesday, 15 August 2012 11:06 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: For your reading pleasure
>
> ** **
>
> Passwords are a part of security for everyone.  It is likely that
> administrative access to that customer system is also limited to an 8
> character password.  So as a hacker, I don't go after an individual
> customer account, I go after the admin account.  Woo hoo, I can now reset
> passwords on all the accounts for some period of time.
>
> ** **
>
> In any event, the argument you present against forcing complex passwords
> also stands true for frequent password changes which is a technique banks
> also employ.  Just because a bank has a measured and layered approach to
> security in other areas and they ignore the customer part of it (including
> education) doesn't mean that they are "secure."
>
> ** **
>
> On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer 
> wrote:
>
> Personal customer passwords for online banking are only a very small part
> of the security systems a bank has. Just because passwords aren’t as
> complex as you would like, it doesn’t follow that banks are not secure. **
> **
>
> Additionally, forcing overly complex passwords can also, sometimes,
> decrease security because people forget them more often, or write them down
> insecurely, or similar stuff.
>
>  
>
> If an online banking password is 8 characters, and there’s an account
> lockout after three failed attempts, does it mean that the system is
> “insecure”?
>
>  
>
> Cheers
>
> Ken 
>
>  
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Wednesday, 15 August 2012 9:55 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: For your reading pleasure
>
>  
>
> Just to help drive the point home, I have been asked by Directors in our
> organization why we have such long passwords when their banks don't require
> it or even prevent it.  There is a perception in the laity, for lack of a
> better word, that because banks deal with money that they are "secure."***
> *
>
> On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff  wrote:**
> **
>
> On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
> wrote:
> > -Original Message-
> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
> > Subject: Re: For your reading pleasure
> >
> >>> AND most bank passwords are case-insensitive, to make things worse.
> >>
> >>And won't let you put in spaces or other punctuation, either.
> >>
> >>I detect a complete absence of cognition on the part of the designers of
> these systems.
> >>
> >>Kurt
> >
> > Really?
>
> Yes.
>
>
> > We're the only ones here that read web pages about security best
> practises, or attend events or read books?
>
> No, but some of those banks have certainly missed the boat - the ones
> that don't allow long passwords or non-alphnumeric characters in their
> web passwords for sure, and probably even a few who have covered those
> bases.
>
>
> >The IT guys at banks never went to Uni, are all ignoramuses and banks
> have never hired a security officer or architect ever?
>
> Going to Uni != intelligence, nor does having the title of security
> officer or architect.
>
>
> > By all means, keep up pressure on organisations to lift their game. But
> I think it's grossly unfair
> > to impugn people personally for this issue, and particularly for the
> offence you have listed.
>
> I don't. If we don't call them on their $#!+, they won't change.
> Whether it's the IT staff or the executives, someone in the org is
> mal/mis/non-feasa

RE: For your reading pleasure

[Ken Schaefer]

I'm not saying that "banks are secure"

I'm stating that the contentions being put forward by others are not supported 
by evidence we have before us. Namely "my bank has password requirements less 
than what I have at work - they allow only 8 characters and don't allow 
Unicode. Therefore they are insecure and the people working on them are 
idiots". The latter conclusion is not supported by the prior statement - for 
reasons I am giving. But I am not stating that banks are secure.

Also, why do you think "admin" accounts only have 8 character passwords? Or 
that these are even exposed to external access?

Cheers
Ken

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Wednesday, 15 August 2012 11:06 PM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

Passwords are a part of security for everyone.  It is likely that 
administrative access to that customer system is also limited to an 8 character 
password.  So as a hacker, I don't go after an individual customer account, I 
go after the admin account.  Woo hoo, I can now reset passwords on all the 
accounts for some period of time.

In any event, the argument you present against forcing complex passwords also 
stands true for frequent password changes which is a technique banks also 
employ.  Just because a bank has a measured and layered approach to security in 
other areas and they ignore the customer part of it (including education) 
doesn't mean that they are "secure."

On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer 
mailto:k...@adopenstatic.com>> wrote:
Personal customer passwords for online banking are only a very small part of 
the security systems a bank has. Just because passwords aren't as complex as 
you would like, it doesn't follow that banks are not secure.
Additionally, forcing overly complex passwords can also, sometimes, decrease 
security because people forget them more often, or write them down insecurely, 
or similar stuff.

If an online banking password is 8 characters, and there's an account lockout 
after three failed attempts, does it mean that the system is "insecure"?

Cheers
Ken

From: Jonathan Link 
[mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>]
Sent: Wednesday, 15 August 2012 9:55 PM

To: NT System Admin Issues
Subject: Re: For your reading pleasure

Just to help drive the point home, I have been asked by Directors in our 
organization why we have such long passwords when their banks don't require it 
or even prevent it.  There is a perception in the laity, for lack of a better 
word, that because banks deal with money that they are "secure."
On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
mailto:k...@adopenstatic.com>> wrote:
> -----Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>]
> Subject: Re: For your reading pleasure
>
>>> AND most bank passwords are case-insensitive, to make things worse.
>>
>>And won't let you put in spaces or other punctuation, either.
>>
>>I detect a complete absence of cognition on the part of the designers of 
>>these systems.
>>
>>Kurt
>
> Really?
Yes.

> We're the only ones here that read web pages about security best practises, 
> or attend events or read books?
No, but some of those banks have certainly missed the boat - the ones
that don't allow long passwords or non-alphnumeric characters in their
web passwords for sure, and probably even a few who have covered those
bases.

>The IT guys at banks never went to Uni, are all ignoramuses and banks have 
>never hired a security officer or architect ever?
Going to Uni != intelligence, nor does having the title of security
officer or architect.

> By all means, keep up pressure on organisations to lift their game. But I 
> think it's grossly unfair
> to impugn people personally for this issue, and particularly for the offence 
> you have listed.
I don't. If we don't call them on their $#!+, they won't change.
Whether it's the IT staff or the executives, someone in the org is
mal/mis/non-feasant, and I don't care at which level it happened.

> From what I can gather most people on this list work in small environments, 
> and mostly for non-commercial organisations - the types of places were IT is 
> relatively simple and there aren't a lot of constraints, interoperability or 
> legacy systems to work with.
And the budgets are far smaller. Larger institutions should plan out
their web presence before launch, and it's painfully obvious that some
haven't.

> In any case, having worked in three different countries to-date, my personal 
> experience of banking is that:
> a) some banks

Re: For your reading pleasure

[Jonathan Link]

Passwords are a part of security for everyone.  It is likely that
administrative access to that customer system is also limited to an 8
character password.  So as a hacker, I don't go after an individual
customer account, I go after the admin account.  Woo hoo, I can now reset
passwords on all the accounts for some period of time.

In any event, the argument you present against forcing complex passwords
also stands true for frequent password changes which is a technique banks
also employ.  Just because a bank has a measured and layered approach to
security in other areas and they ignore the customer part of it (including
education) doesn't mean that they are "secure."


On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer  wrote:

>  Personal customer passwords for online banking are only a very small
> part of the security systems a bank has. Just because passwords aren’t as
> complex as you would like, it doesn’t follow that banks are not secure. **
> **
>
> Additionally, forcing overly complex passwords can also, sometimes,
> decrease security because people forget them more often, or write them down
> insecurely, or similar stuff.
>
> ** **
>
> If an online banking password is 8 characters, and there’s an account
> lockout after three failed attempts, does it mean that the system is
> “insecure”?
>
> ** **
>
> Cheers
>
> Ken 
>
> ** **
>
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Wednesday, 15 August 2012 9:55 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: For your reading pleasure
>
> ** **
>
> Just to help drive the point home, I have been asked by Directors in our
> organization why we have such long passwords when their banks don't require
> it or even prevent it.  There is a perception in the laity, for lack of a
> better word, that because banks deal with money that they are "secure."***
> *
>
> On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff  wrote:**
> **
>
> On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
> wrote:
> > -Original Message-
> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
> > Subject: Re: For your reading pleasure
> >
> >>> AND most bank passwords are case-insensitive, to make things worse.
> >>
> >>And won't let you put in spaces or other punctuation, either.
> >>
> >>I detect a complete absence of cognition on the part of the designers of
> these systems.
> >>
> >>Kurt
> >
> > Really?
>
> Yes.
>
>
> > We're the only ones here that read web pages about security best
> practises, or attend events or read books?
>
> No, but some of those banks have certainly missed the boat - the ones
> that don't allow long passwords or non-alphnumeric characters in their
> web passwords for sure, and probably even a few who have covered those
> bases.
>
>
> >The IT guys at banks never went to Uni, are all ignoramuses and banks
> have never hired a security officer or architect ever?
>
> Going to Uni != intelligence, nor does having the title of security
> officer or architect.
>
>
> > By all means, keep up pressure on organisations to lift their game. But
> I think it's grossly unfair
> > to impugn people personally for this issue, and particularly for the
> offence you have listed.
>
> I don't. If we don't call them on their $#!+, they won't change.
> Whether it's the IT staff or the executives, someone in the org is
> mal/mis/non-feasant, and I don't care at which level it happened.
>
>
> > From what I can gather most people on this list work in small
> environments, and mostly for non-commercial organisations - the types of
> places were IT is relatively simple and there aren't a lot of constraints,
> interoperability or legacy systems to work with.
>
> And the budgets are far smaller. Larger institutions should plan out
> their web presence before launch, and it's painfully obvious that some
> haven't.
>
>
> > In any case, having worked in three different countries to-date, my
> personal experience of banking is that:
> > a) some banks implement additional password systems, to complement
> whatever their legacy system is.
> > This could take the form of an additional logon after your main logon.
> This would allow a bank to implement
> > a new, up-to-date, user authentication system to sit next to their
> legacy one
>
> And some don't.
>
>
> > b) some banks implement 2FA: every bank in Singapore (for example)
> issues tokens to customers and also
> > provides the option for SMS b

RE: For your reading pleasure

[Ken Schaefer]

Personal customer passwords for online banking are only a very small part of 
the security systems a bank has. Just because passwords aren't as complex as 
you would like, it doesn't follow that banks are not secure.
Additionally, forcing overly complex passwords can also, sometimes, decrease 
security because people forget them more often, or write them down insecurely, 
or similar stuff.

If an online banking password is 8 characters, and there's an account lockout 
after three failed attempts, does it mean that the system is "insecure"?

Cheers
Ken

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Wednesday, 15 August 2012 9:55 PM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

Just to help drive the point home, I have been asked by Directors in our 
organization why we have such long passwords when their banks don't require it 
or even prevent it.  There is a perception in the laity, for lack of a better 
word, that because banks deal with money that they are "secure."
On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
mailto:k...@adopenstatic.com>> wrote:
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>]
> Subject: Re: For your reading pleasure
>
>>> AND most bank passwords are case-insensitive, to make things worse.
>>
>>And won't let you put in spaces or other punctuation, either.
>>
>>I detect a complete absence of cognition on the part of the designers of 
>>these systems.
>>
>>Kurt
>
> Really?
Yes.

> We're the only ones here that read web pages about security best practises, 
> or attend events or read books?
No, but some of those banks have certainly missed the boat - the ones
that don't allow long passwords or non-alphnumeric characters in their
web passwords for sure, and probably even a few who have covered those
bases.

>The IT guys at banks never went to Uni, are all ignoramuses and banks have 
>never hired a security officer or architect ever?
Going to Uni != intelligence, nor does having the title of security
officer or architect.

> By all means, keep up pressure on organisations to lift their game. But I 
> think it's grossly unfair
> to impugn people personally for this issue, and particularly for the offence 
> you have listed.
I don't. If we don't call them on their $#!+, they won't change.
Whether it's the IT staff or the executives, someone in the org is
mal/mis/non-feasant, and I don't care at which level it happened.

> From what I can gather most people on this list work in small environments, 
> and mostly for non-commercial organisations - the types of places were IT is 
> relatively simple and there aren't a lot of constraints, interoperability or 
> legacy systems to work with.
And the budgets are far smaller. Larger institutions should plan out
their web presence before launch, and it's painfully obvious that some
haven't.

> In any case, having worked in three different countries to-date, my personal 
> experience of banking is that:
> a) some banks implement additional password systems, to complement whatever 
> their legacy system is.
> This could take the form of an additional logon after your main logon. This 
> would allow a bank to implement
> a new, up-to-date, user authentication system to sit next to their legacy one
And some don't.

> b) some banks implement 2FA: every bank in Singapore (for example) issues 
> tokens to customers and also
> provides the option for SMS based one-time PINs
And some don't.

> I strongly believe that IT in banks (at least in the developed world) are 
> just as, or far more aware, of threats than we are.
Sometimes yes, but on the evidence, sometimes no. It's why I left my
most recent credit union for a better one, with stronger login
security for their web presence. I didn't want their problem to be my
problem. I also know that some banks are no better.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubs

RE: For your reading pleasure

[Chinnery, Paul]

Maybe banks need a  "Wall of Shame" like us healthcare providers.

From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Wednesday, August 15, 2012 8:07 AM
To: NT System Admin Issues
Subject: RE: For your reading pleasure

In some business perception is the truth, no matter what the real truth might 
be. Just because banks, deal with money does not make them secure, they are 
just bigger targets, which speaks to Ken's comment earlier about the awareness 
of threats, because they are dealing with it 24x7 and a breach for them will 
cost them a lot of $$.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Wednesday, August 15, 2012 7:55 AM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

Just to help drive the point home, I have been asked by Directors in our 
organization why we have such long passwords when their banks don't require it 
or even prevent it.  There is a perception in the laity, for lack of a better 
word, that because banks deal with money that they are "secure."
On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
mailto:k...@adopenstatic.com>> wrote:
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>]
> Subject: Re: For your reading pleasure
>
>>> AND most bank passwords are case-insensitive, to make things worse.
>>
>>And won't let you put in spaces or other punctuation, either.
>>
>>I detect a complete absence of cognition on the part of the designers of 
>>these systems.
>>
>>Kurt
>
> Really?
Yes.

> We're the only ones here that read web pages about security best practises, 
> or attend events or read books?
No, but some of those banks have certainly missed the boat - the ones
that don't allow long passwords or non-alphnumeric characters in their
web passwords for sure, and probably even a few who have covered those
bases.

>The IT guys at banks never went to Uni, are all ignoramuses and banks have 
>never hired a security officer or architect ever?
Going to Uni != intelligence, nor does having the title of security
officer or architect.

> By all means, keep up pressure on organisations to lift their game. But I 
> think it's grossly unfair
> to impugn people personally for this issue, and particularly for the offence 
> you have listed.
I don't. If we don't call them on their $#!+, they won't change.
Whether it's the IT staff or the executives, someone in the org is
mal/mis/non-feasant, and I don't care at which level it happened.

> From what I can gather most people on this list work in small environments, 
> and mostly for non-commercial organisations - the types of places were IT is 
> relatively simple and there aren't a lot of constraints, interoperability or 
> legacy systems to work with.
And the budgets are far smaller. Larger institutions should plan out
their web presence before launch, and it's painfully obvious that some
haven't.

> In any case, having worked in three different countries to-date, my personal 
> experience of banking is that:
> a) some banks implement additional password systems, to complement whatever 
> their legacy system is.
> This could take the form of an additional logon after your main logon. This 
> would allow a bank to implement
> a new, up-to-date, user authentication system to sit next to their legacy one
And some don't.

> b) some banks implement 2FA: every bank in Singapore (for example) issues 
> tokens to customers and also
> provides the option for SMS based one-time PINs
And some don't.

> I strongly believe that IT in banks (at least in the developed world) are 
> just as, or far more aware, of threats than we are.
Sometimes yes, but on the evidence, sometimes no. It's why I left my
most recent credit union for a better one, with stronger login
security for their web presence. I didn't want their problem to be my
problem. I also know that some banks are no better.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
list

RE: For your reading pleasure

[Ziots, Edward]

In some business perception is the truth, no matter what the real truth
might be. Just because banks, deal with money does not make them secure,
they are just bigger targets, which speaks to Ken's comment earlier
about the awareness of threats, because they are dealing with it 24x7
and a breach for them will cost them a lot of $$. 

 

Z

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Wednesday, August 15, 2012 7:55 AM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

 

Just to help drive the point home, I have been asked by Directors in our
organization why we have such long passwords when their banks don't
require it or even prevent it.  There is a perception in the laity, for
lack of a better word, that because banks deal with money that they are
"secure."

On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff  wrote:

On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
wrote:
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Subject: Re: For your reading pleasure
>
>>> AND most bank passwords are case-insensitive, to make things worse.
>>
>>And won't let you put in spaces or other punctuation, either.
>>
>>I detect a complete absence of cognition on the part of the designers
of these systems.
>>
>>Kurt
>
> Really?

Yes.


> We're the only ones here that read web pages about security best
practises, or attend events or read books?

No, but some of those banks have certainly missed the boat - the ones
that don't allow long passwords or non-alphnumeric characters in their
web passwords for sure, and probably even a few who have covered those
bases.


>The IT guys at banks never went to Uni, are all ignoramuses and banks
have never hired a security officer or architect ever?

Going to Uni != intelligence, nor does having the title of security
officer or architect.


> By all means, keep up pressure on organisations to lift their game.
But I think it's grossly unfair
> to impugn people personally for this issue, and particularly for the
offence you have listed.

I don't. If we don't call them on their $#!+, they won't change.
Whether it's the IT staff or the executives, someone in the org is
mal/mis/non-feasant, and I don't care at which level it happened.


> From what I can gather most people on this list work in small
environments, and mostly for non-commercial organisations - the types of
places were IT is relatively simple and there aren't a lot of
constraints, interoperability or legacy systems to work with.

And the budgets are far smaller. Larger institutions should plan out
their web presence before launch, and it's painfully obvious that some
haven't.


> In any case, having worked in three different countries to-date, my
personal experience of banking is that:
> a) some banks implement additional password systems, to complement
whatever their legacy system is.
> This could take the form of an additional logon after your main logon.
This would allow a bank to implement
> a new, up-to-date, user authentication system to sit next to their
legacy one

And some don't.


> b) some banks implement 2FA: every bank in Singapore (for example)
issues tokens to customers and also
> provides the option for SMS based one-time PINs

And some don't.


> I strongly believe that IT in banks (at least in the developed world)
are just as, or far more aware, of threats than we are.

Sometimes yes, but on the evidence, sometimes no. It's why I left my
most recent credit union for a better one, with stronger login
security for their web presence. I didn't want their problem to be my
problem. I also know that some banks are no better.

Kurt


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Jonathan Link]

Just to help drive the point home, I have been asked by Directors in our
organization why we have such long passwords when their banks don't require
it or even prevent it.  There is a perception in the laity, for lack of a
better word, that because banks deal with money that they are "secure."

On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff  wrote:

> On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer 
> wrote:
> > -Original Message-
> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
> > Subject: Re: For your reading pleasure
> >
> >>> AND most bank passwords are case-insensitive, to make things worse.
> >>
> >>And won't let you put in spaces or other punctuation, either.
> >>
> >>I detect a complete absence of cognition on the part of the designers of
> these systems.
> >>
> >>Kurt
> >
> > Really?
>
> Yes.
>
> > We're the only ones here that read web pages about security best
> practises, or attend events or read books?
>
> No, but some of those banks have certainly missed the boat - the ones
> that don't allow long passwords or non-alphnumeric characters in their
> web passwords for sure, and probably even a few who have covered those
> bases.
>
> >The IT guys at banks never went to Uni, are all ignoramuses and banks
> have never hired a security officer or architect ever?
>
> Going to Uni != intelligence, nor does having the title of security
> officer or architect.
>
> > By all means, keep up pressure on organisations to lift their game. But
> I think it's grossly unfair
> > to impugn people personally for this issue, and particularly for the
> offence you have listed.
>
> I don't. If we don't call them on their $#!+, they won't change.
> Whether it's the IT staff or the executives, someone in the org is
> mal/mis/non-feasant, and I don't care at which level it happened.
>
> > From what I can gather most people on this list work in small
> environments, and mostly for non-commercial organisations - the types of
> places were IT is relatively simple and there aren't a lot of constraints,
> interoperability or legacy systems to work with.
>
> And the budgets are far smaller. Larger institutions should plan out
> their web presence before launch, and it's painfully obvious that some
> haven't.
>
> > In any case, having worked in three different countries to-date, my
> personal experience of banking is that:
> > a) some banks implement additional password systems, to complement
> whatever their legacy system is.
> > This could take the form of an additional logon after your main logon.
> This would allow a bank to implement
> > a new, up-to-date, user authentication system to sit next to their
> legacy one
>
> And some don't.
>
> > b) some banks implement 2FA: every bank in Singapore (for example)
> issues tokens to customers and also
> > provides the option for SMS based one-time PINs
>
> And some don't.
>
> > I strongly believe that IT in banks (at least in the developed world)
> are just as, or far more aware, of threats than we are.
>
> Sometimes yes, but on the evidence, sometimes no. It's why I left my
> most recent credit union for a better one, with stronger login
> security for their web presence. I didn't want their problem to be my
> problem. I also know that some banks are no better.
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Kurt Buff]

On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer  wrote:
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Subject: Re: For your reading pleasure
>
>>> AND most bank passwords are case-insensitive, to make things worse.
>>
>>And won't let you put in spaces or other punctuation, either.
>>
>>I detect a complete absence of cognition on the part of the designers of 
>>these systems.
>>
>>Kurt
>
> Really?

Yes.

> We're the only ones here that read web pages about security best practises, 
> or attend events or read books?

No, but some of those banks have certainly missed the boat - the ones
that don't allow long passwords or non-alphnumeric characters in their
web passwords for sure, and probably even a few who have covered those
bases.

>The IT guys at banks never went to Uni, are all ignoramuses and banks have 
>never hired a security officer or architect ever?

Going to Uni != intelligence, nor does having the title of security
officer or architect.

> By all means, keep up pressure on organisations to lift their game. But I 
> think it's grossly unfair
> to impugn people personally for this issue, and particularly for the offence 
> you have listed.

I don't. If we don't call them on their $#!+, they won't change.
Whether it's the IT staff or the executives, someone in the org is
mal/mis/non-feasant, and I don't care at which level it happened.

> From what I can gather most people on this list work in small environments, 
> and mostly for non-commercial organisations - the types of places were IT is 
> relatively simple and there aren't a lot of constraints, interoperability or 
> legacy systems to work with.

And the budgets are far smaller. Larger institutions should plan out
their web presence before launch, and it's painfully obvious that some
haven't.

> In any case, having worked in three different countries to-date, my personal 
> experience of banking is that:
> a) some banks implement additional password systems, to complement whatever 
> their legacy system is.
> This could take the form of an additional logon after your main logon. This 
> would allow a bank to implement
> a new, up-to-date, user authentication system to sit next to their legacy one

And some don't.

> b) some banks implement 2FA: every bank in Singapore (for example) issues 
> tokens to customers and also
> provides the option for SMS based one-time PINs

And some don't.

> I strongly believe that IT in banks (at least in the developed world) are 
> just as, or far more aware, of threats than we are.

Sometimes yes, but on the evidence, sometimes no. It's why I left my
most recent credit union for a better one, with stronger login
security for their web presence. I didn't want their problem to be my
problem. I also know that some banks are no better.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Ben Scott]

On Tue, Aug 14, 2012 at 6:52 PM, Michael B. Smith  wrote:
>> That, and 50 year old mainframe software that's been dragged kicking and 
>> screaming
>> onto the modern Internet.  Some of that stuff doesn't even use ASCII.
>
> EBCDIC was invented to REPLACE ASCII because of the various shortcomings 
> present with ASCII, especially including i8n!

  Say *what*?  :-)

  While this stuff is rather before my time, as far as I know, EBCDIC
was simply an IBM punched card format carried into the electronic
computing age.

  IBM's pre-computer unit record equipment, and some of their early
computers, worked with decimal numbers (like humans).  Each of the
digits 0 through 9 had a binary representation, and numbers were
stored in the machine in decimal form.  So the quantity of 17 decimal
wouldn't be stored as 10001 binary, it would be stored as two encoded
digits, 0001 0011 (or something like that).  Hence, Binary Coded
Decimal.

  IBM extended the basic BCD concept to handle character data as well.
 That also dates back to unit record machines, before real computing
happened.  It certainly wasn't invented before ASCII.

  The thing properly called "EBCDIC" did come later, when real
computers started to happen.  I was under the impression that it was
roughly contemporary with ASCII, but I don't really know.  So maybe it
came after.  But the motivation wasn't to "fix" ASCII, as far as I've
ever heard before.  The motivation was that IBM customers already had
a bajillion punched cards, and didn't want to scrap them overnight.

  As I recall from my past studies, the structure of an EBCDIC
character contains subfields derived from punched cards.  I forget the
details, but IIRC, they had some application in the world of
tabulating machines, but were mostly a backwards-compatibility
mechanism in the electronic world.

  EBCDIC is also just like ASCII in that it doesn't have enough
codepoints to handle i18n well, and so there are a ton of mutually
incompatible "code pages" which select which characters, and the code
page has to be specified via some other mechanism.

  You're not thinking of Unicode, are you?

> I believe that IBM and all of the BUNCH implemented it, but because of DEC's 
> PDP
> being basically a 7-bit word, and the relationship of Unix to PDP, we ended up
> with ASCII...

  ASCII is a direct decedent of the US Army "Field Data" format.  We
ended up with ASCII because (1) it was promulgated as a national
standard (by what's now ANSI), and (2) it was an open and
easy-to-implement standard.  EBCDIC was a product of the mainframe
world (which was rather less friendly to outsiders), and has a number
of quirks -- chief among them, the letter characters are not all
contiguous.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: For your reading pleasure

[Ken Schaefer]

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Subject: Re: For your reading pleasure

>> AND most bank passwords are case-insensitive, to make things worse.
>
>And won't let you put in spaces or other punctuation, either.
>
>I detect a complete absence of cognition on the part of the designers of these 
>systems.
>
>Kurt

Really? 

We're the only ones here that read web pages about security best practises, or 
attend events or read books? The IT guys at banks never went to Uni, are all 
ignoramuses and banks have never hired a security officer or architect ever?

By all means, keep up pressure on organisations to lift their game. But I think 
it's grossly unfair to impugn people personally for this issue, and 
particularly for the offence you have listed. From what I can gather most 
people on this list work in small environments, and mostly for non-commercial 
organisations - the types of places were IT is relatively simple and there 
aren't a lot of constraints, interoperability or legacy systems to work with.

In any case, having worked in three different countries to-date, my personal 
experience of banking is that:
a) some banks implement additional password systems, to complement whatever 
their legacy system is. This could take the form of an additional logon after 
your main logon. This would allow a bank to implement a new, up-to-date, user 
authentication system to sit next to their legacy one
b) some banks implement 2FA: every bank in Singapore (for example) issues 
tokens to customers and also provides the option for SMS based one-time PINs

I strongly believe that IT in banks (at least in the developed world) are just 
as, or far more aware, of threats than we are.

Cheers
Ken

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: For your reading pleasure

[Michael B. Smith]

Now that's kinda funny.

EBCDIC was invented to REPLACE ASCII because of the various shortcomings 
present with ASCII, especially including i8n!

I believe that IBM and all of the BUNCH implemented it, but because of DEC's 
PDP being basically a 7-bit word, and the relationship of Unix to PDP, we ended 
up with ASCII...

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, August 14, 2012 6:05 PM
To: NT System Admin Issues
Subject: Re: For your reading pleasure

On Tue, Aug 14, 2012 at 4:21 PM, Kurt Buff  wrote:
>> AND most bank passwords are case-insensitive, to make things worse.
>
> And won't let you put in spaces or other punctuation, either.
>
> I detect a complete absence of cognition on the part of the designers 
> of these systems.

  That, and 50 year old mainframe software that's been dragged kicking and 
screaming onto the modern Internet.  Some of that stuff doesn't even use ASCII.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Ben Scott]

On Tue, Aug 14, 2012 at 4:21 PM, Kurt Buff  wrote:
>> AND most bank passwords are case-insensitive, to make things worse.
>
> And won't let you put in spaces or other punctuation, either.
>
> I detect a complete absence of cognition on the part of the designers
> of these systems.

  That, and 50 year old mainframe software that's been dragged kicking
and screaming onto the modern Internet.  Some of that stuff doesn't
even use ASCII.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Kurt Buff]

On Tue, Aug 14, 2012 at 12:22 PM, Angus Scott-Fleming
 wrote:
> On 13 Aug 2012 at 9:47, Kurt Buff  wrote:
>
>>  5) Long passwords do indeed work - see 1) and 4) above, but good
>> luck asking for 16+ character passwords, especially when some banking
>> sites won't let you use more than 8 characters.
>
> AND most bank passwords are case-insensitive, to make things worse.

And won't let you put in spaces or other punctuation, either.

I detect a complete absence of cognition on the part of the designers
of these systems.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Angus Scott-Fleming]

On 13 Aug 2012 at 9:47, Kurt Buff  wrote:

>  5) Long passwords do indeed work - see 1) and 4) above, but good
> luck asking for 16+ character passwords, especially when some banking
> sites won't let you use more than 8 characters.

AND most bank passwords are case-insensitive, to make things worse.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Ben Scott]

On Mon, Aug 13, 2012 at 10:00 AM, David Lum  wrote:
> 9 popular IT security practices that just don't work
>
> http://www.computerworld.com/s/article/9230198/9_popular_IT_security_practices_that_just_don_39_t_work?taxonomyId=85

  Seems to mostly be "9 security practices that if not done properly,
don't work".

  As Larry Niven says, "No technique works if it isn't used.  Not
responsible for advice not taken."

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: For your reading pleasure

[Stu Sjouwerman]

And did you see the second comment when you read it?

That -was- me !!  LOL

Stu


From: David Lum [mailto:david@nwea.org]
Sent: Monday, August 13, 2012 10:01 AM
To: NT System Admin Issues
Subject: For your reading pleasure

9 popular IT security practices that just don't work
http://www.computerworld.com/s/article/9230198/9_popular_IT_security_practices_that_just_don_39_t_work?taxonomyId=85

As I read it I kept expecting read "Stu Sjouwerman says..."  :)

And the corresponding "do this" article by the same folks.
http://www.infoworld.com/d/security/10-crazy-it-security-tricks-actually-work-196864?page=0,3&source=fssr
David Lum
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: For your reading pleasure

[Kurt Buff]

On Mon, Aug 13, 2012 at 7:00 AM, David Lum  wrote:
>
> 9 popular IT security practices that just don't work
>
>
> http://www.computerworld.com/s/article/9230198/9_popular_IT_security_practices_that_just_don_39_t_work?taxonomyId=85

 1) Application whitelisting

 2) Win7 has host-based firewalls turned on by default - they're
still necessary. And, he seriously underestimates the power of
perimeter firewalls set up with default deny stances.

 3) So, patching doesn't work if you don't patch? Wow. There's a revelation.

 4) I agree with this one, actually, but I also think it won't help much

 5) Long passwords do indeed work - see 1) and 4) above, but good
luck asking for 16+ character passwords, especially when some banking
sites won't let you use more than 8 characters.

 6) False dilemna

 7) So, if you don't do PKI right, you're screwed. Another revelation.

 8) Agree with this

 9) Agreed, and see 1) above

> And the corresponding “do this” article by the same folks.
> http://www.infoworld.com/d/security/10-crazy-it-security-tricks-actually-work-196864?page=0,3&source=fssr

 1) Oy - fail. Disabling and setting up one or two others, and
logging attempts? Yes. Renaming? Not so much.

 2) Yes, agreed. RBAC and such are good.

 3) Agreed, if you have the staff resources to actually pay
attention to them. (same for IDS/IPS, BTW)

 4) Agreed, for some, but not all applications. Certainly RDP, SSH
and a few others. OTOH, putting up a web site that isn't port 80 or
443 is just asking for trouble.

 5) Somewhat, yes - it certainly makes makes the intruder work harder

 6) Yes -tarpitting is wonderful. It's really too bad that MSFT
hasn't incorporated this into its software. For instance, rather than
simple account lockout, I'd like to see exponential backoff in
response to bad login attempts. In either case you run the risk of a
DoS, but that's a price you're going to pay either way.

 7) Network flow analysis and IDS/IDP technologies are an excellent match

 8) Oh, my yes. Locking screen savers are good.

 9) Somewhat disagree - it's certainly best practice to limit
browsing from servers, but I think that's better handled by egress
filtering

 10) But of course - security must be baked into the development
progress, but that's not something most sysadmins can influence.


Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: For your reading pleasure

[Ziots, Edward]

Disagree with (2) and (3), (7) on this article. 

 

(2) People need to combine IPS/Firewall and a lot of Egress filtering,
for Extrusion prevention/detection, which does provide defense in depth,
even if the outbound port is 80/443 etc etc.  If you know the network is
bad through traffic analysis, then egress filtering at one or more
firewall stops the current malware from phoning home, which blocks the
traffic outbound to the bot herders/attackers. 

 

(3) Patching in of itself is not a panacea, but its better than
alternatives. Actually disabling functionality and locking down your
OS's before they are deployed reduces attack surface and therefore risk
to the system being exploited. (Yes I know the 0 days will be there, but
how many 0 days are you seeing on Full Disclosure, as compared to
responsible disclosure and patches? I would venture it's a 80/20 mix to
responsible disclosure, therefore you have a 20% risk from what you
might know or find out only after successfully attacked, and of that 20%
how many vulnerable system do you have in your organizations/business? 

 

(7) Honestly, PKI is somewhat broken, but if you don't practice proper
security management on your PKI, then would you really have the same the
assurance of the system and its certificates to provide to the security
of your network devices, and communications?   I agree that the current
practices can be socially engineered, and weak security management on
some well know PKI's have lead them to be hacked and there PKI's used
for nefarious deeds. 

 

Also on the sandboxes, why aren't you using UNIX instead of Windows,
with virual machines in undoable mode to look and investigate
questionable sites.  I have done this in practice a lot in my malware
investigations and not had an issue, either using tools like CUCKoo from
Rapid7, or other malware disassembly tools ( SIFT workstation from SANS,
etc etc)

 

Just my comments on this article J Mileage varies in your
business/organizations, 

 

Z

 

 

Edward E. Ziots, CISSP, Security +, Network +

Security Engineer

Lifespan Organization

ezi...@lifespan.org

 

From: David Lum [mailto:david@nwea.org] 
Sent: Monday, August 13, 2012 10:01 AM
To: NT System Admin Issues
Subject: For your reading pleasure

 

9 popular IT security practices that just don't work

http://www.computerworld.com/s/article/9230198/9_popular_IT_security_pra
ctices_that_just_don_39_t_work?taxonomyId=85

 

As I read it I kept expecting read "Stu Sjouwerman says..."  J

 

And the corresponding "do this" article by the same folks.

http://www.infoworld.com/d/security/10-crazy-it-security-tricks-actually
-work-196864?page=0,3&source=fssr

David Lum 
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin