It looks like a lot of corporate execs in this country are about as bright as whoever in India is in charge of that country's power grid. On 7/31/2012 21:08, Michael Butash wrote: > It's them, as a consumer organization, trying to walk the line around > convenience. Same as some organizations *still* do not enforce > auto-password locks on workstations because some grumpy executive > doesn't want to remember a password. Blizzard eventually had to do > dual-factor when warcrack accounts/items became profitable to sell, > and others just to keep from becoming a scandal from lazy users. > > I enforce mostly the same standards at home I would at work, but sadly > naive companies treat their data just the opposite - not someone I > would do business with. No proprietary/pii data should live outside a > firewall. You'd think they'd at least hold employee accounts to a > complexity standard, but that assumes they just didn't use the same > pass everywhere and it got lifted externally. This is common these days. > > So yeah, dual-factor externally where possible. And don't use mschap > v2 to send it (lots of enterprise wifi does). ;) > > http://erratasec.blogspot.com/2012/07/the-tldr-version-of-moxies-mschapv2.html > > > -mb > > > On 07/31/2012 08:48 PM, Mike Bydalek wrote: >> Just some random thoughts to expound on Michael's ... >> >> I get what you're saying, but I think limiting it to cloud storage >> isn't enough (or fair). Having *any* NPI (non-public information) >> stored in any means *other* than being encrypted is just asking for >> trouble - Dropbox or at home. You can have all your sensitive data on >> your computer at home until you get robbed and now someone has all >> your CC#s, bank login info, etc. (or lose your laptop). I pretty much >> live by the rule of thumb saying, "Anyone can get access to this data. >> How can I prevent them from using it?" >> >> To get back to Dropbox, the employee in question had a file of e-mail >> addresses. Their account password was probably weak and someone >> guessed it. This situation can happen under *any* web-based system >> that isn't using two-factor authentication (Gmail.com? Mint.com? >> etc.). That's why when websites have really stupid password policies >> (ie. no more than 8 characters, no special characters, etc.) or don't >> have a system which locks the account after X failed attempts, >> auditing successful logins, etc., I have a really hard time believing >> they are taking security seriously. >> >> -Mike >> >> On Tue, Jul 31, 2012 at 7:59 PM, Michael Butash >> wrote: >>> http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/ >>> >>> >>> So yeah, about not trusting cloud storage services... >>> >>> "At any rate, users may want to think about examining more secure >>> alternatives, encrypting their files, or simply not storing >>> ultra-sensitive >>> information in Dropbox." >>> >>> An employee account was exploited for this, probably a password >>> gotten via >>> some other exploited site, or cracked (weak pw policy). Sad >>> proprietary/confidential data, let alone pii, was even publicly >>> accessible >>> in any means. Why I'll keep mine on my rfc1918 ip lan, thanks. >>> >>> -mb >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> >> > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >