6 comments

  • mikestew 4 hours ago

    ”Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password.”

    Capitalize that “w”, and you’ve got a password that will pass most PWD policies. Why do they think it was “winter2023!” to begin with? In 90 days when the PWD expires, well, it will be spring of the next year, so…

    The better idea is to require passwords with some real entropy, and get rid of expiring passwords. It’s not 1999 anymore.

    • UnfitFootprint 2 hours ago

      Being overly suspicious of everyone is a terrible way to live. Maintenance should have the autonomy to do as they did here - and security correctly followed up. The right response should only be technical imo. A meeting room should not lead to this level of network access.

      • mannyv 2 hours ago

        Maintenance employees are the weakest link. They aren't paid much and don't believe anything is important.

        Be nice to them and they'll be nice to you back.

        • lima 3 hours ago

          The company also should have restricted network access to the port in the conference room so that an unknown device like a Raspberry Pi could not make an Ethernet connection from that spot

          Bad take - the actual problem is that there was a trusted network in the first place. This kind of network access control is trivial to bypass, and trusted devices can get compromised.

          • bell-cot 1 hour ago

            > There are a lot of lessons here, but they start with training every member of the team to be suspicious of people coming from the outside, without badges, no matter what they say or do. Schloss noted that, if someone looks and acts like they belong in a space, most people will treat them that way.

            > “First and foremost, what most people believe is crime is not crime. It's a Hollywood myth of what crime looks like,” Schloss told us. “I call it the ski mask bias. Everyone assumes you're not getting robbed until a person comes in with a ski mask and a gun yelling.”

            I call this "Trained By Hollywood Syndrome". It's a huge problem, and far beyond mere computer security.

            • z3ugma 3 hours ago

              What always gets me about these red team attacks is the same thing that gets me about internal phishing test emails.

              My company sent an internal phishing test last week. Several people immediately reported it to a cybersecurity engineer, posted about it in Slack, saying they were surprised that such a sophisticated phishing attack was happening.

              I too was surprised - Google is usually much better about catching these kinds of things in the GMail filter before they get through. Oh well, sometimes one slips though. Reported it and moved on

              Come to learn that the only reason it made it through is because we let it through _on purpose_.

              By analogy to these red team attacks: _theoretically_ someone could rent a car, pose as an employee, and set up a Raspberry Pi in the network.

              But who would go to all that trouble?

              Theoretically, someone could craft a perfect phishing attack, but who would go to all that trouble? Spray-and-pray, low precision, high surface area, attacks are the ones I end up reading about.

              The only reason this attack vector was open is because the red team stood to gain a massive benefit from succeeding in the attack. What real-world actor would go to the trouble and stand to benefit as much?