Dailydave mailing list archives
Re: The New York Times Plays with Fire
From: Charisse Castagnoli <charisse () charissec com>
Date: Mon, 4 Feb 2013 09:36:18 -0600
Dave - I agree NYT was playing with fire - but they stuck to their journalistic mission. Maybe they have factored in the risk of being a continuous target of the countries and organizations they report on. The password problem, on the other hand, is really frustrating. Why Why Why with mobile phones, tiny dongles etc. are we STILL using passwords everywhere. I used to be able to get by with 3-5 passwords, now I have to have a different password on every account. (Thank goodness for keeper) We really have come to the point of absurdity with passwords. So, on that topic, does anyone in this esteemed group have an opinion about OpenID providers? I'm looking to pay for my OpenID, I don't want to be dependent on a google or aol. Charisse Castagnoli charisse () charissec com On Feb 1, 2013, at 4:19 PM, Dave Aitel wrote: So one thing I think is interesting is that New York Times story. Here's how it goes, in bullet points: 1. NYT knows it's ruffling feathers, so it hires AT&T (??) to "watch their network" 2. AT&T sees something, so NYT calls in Mandiant 3. Mandiant and NYT let the Chinese hack things and watch them while they penetrate into the domain controller and lots of other machines. 4. Article about this comes out on NYT.com, calling out the Chinese. So, as far as I can tell from their article, the Chinese have all the passwords for every NYT employee. This sounds like something that is not good for NYT employees who may reuse their passwords elsewhere, even if they're changed now. Likewise, it seems like at any time the Chinese could have turned off the domain controller. That would probably have had significant downsides for NYT, to say the least. Here's why they didn't: Their policy did not let them. But that doesn't ameliorate all the risk, as even hackers make typos... In other words, playing games with hackers on your network for a story is a fundamentally bad idea. Because at some point, you're going to find a contractor who screws up and doesn't follow their own policy (or can't type) and it's going to take down your whole business. -dave -- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beach www.infiltratecon.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The New York Times Plays with Fire Dave Aitel (Feb 04)
- Re: The New York Times Plays with Fire Charisse Castagnoli (Feb 04)
- Re: The New York Times Plays with Fire Mohammad Hosein (Feb 05)
- Re: The New York Times Plays with Fire Brian Keefer (Feb 04)
- Message not available
- Re: The New York Times Plays with Fire david laumann (Feb 05)
- Re: The New York Times Plays with Fire Charisse Castagnoli (Feb 04)
- Re: The New York Times Plays with Fire Richard Bejtlich (Feb 06)
- Re: The New York Times Plays with Fire al bell (Feb 06)