Comments for Shades of Gray Security http://shadesofgraysecurity.com Because security isn't always black & white Tue, 08 Nov 2011 17:44:22 +0000 hourly 1 http://wordpress.org/?v=3.2.1 Comment on Password Primer by Jason Ingalls http://shadesofgraysecurity.com/password-primer/comment-page-1/#comment-3803 Jason Ingalls Tue, 08 Nov 2011 17:44:22 +0000 http://shadesofgraysecurity.com/?p=220#comment-3803 Excellent article. One thing I might add is to reinforce the idea that folks shouldn't reuse passwords. If you use an email provider on the web, Facebook, or other website that allows you to log in without encrypting the traffic between you and their server, this could spell disaster if your password for that service is shared with other accounts. Here's how: Let's say I'm a sneaky bad guy. I spend time in hotels/airports/Starbucks and anywhere else there is unsecured (unencrypted) wireless, just sniffing the traffic that's going between your laptop and the Wireless Access Point you are using to get on the Internet to go to, say, Facebook. I watch you log on to Facebook, and I get the username and the password that you send to Facebook because it's not encrypted. Or I watch you log into GMail, and get your username and password the same way. What matters is I now know your account information. Another major concern is that by using the same password for all of your accounts on all of the various services you log into on the Internet, you are trusting each service equally. Do you think that your Neighborhood Association's website should be trusted with the same amount of responsibility to keep your password safely stored as your bank? I hope not, but if you use the same password for both of them, it means that they are. Some services are not well secured, and that means that if bad guys managed to hack into a weaker site that has the same password you use for everything else, everything else is just as vulnerable for you as the site that just got hacked. Bad ju ju. If you use one password to log into everything, and I capture it, I can use it to log into everything you do. Never use the same password to log into two or more systems. -Jason Excellent article. One thing I might add is to reinforce the idea that folks shouldn’t reuse passwords. If you use an email provider on the web, Facebook, or other website that allows you to log in without encrypting the traffic between you and their server, this could spell disaster if your password for that service is shared with other accounts. Here’s how:

Let’s say I’m a sneaky bad guy. I spend time in hotels/airports/Starbucks and anywhere else there is unsecured (unencrypted) wireless, just sniffing the traffic that’s going between your laptop and the Wireless Access Point you are using to get on the Internet to go to, say, Facebook. I watch you log on to Facebook, and I get the username and the password that you send to Facebook because it’s not encrypted. Or I watch you log into GMail, and get your username and password the same way. What matters is I now know your account information.

Another major concern is that by using the same password for all of your accounts on all of the various services you log into on the Internet, you are trusting each service equally. Do you think that your Neighborhood Association’s website should be trusted with the same amount of responsibility to keep your password safely stored as your bank? I hope not, but if you use the same password for both of them, it means that they are.

Some services are not well secured, and that means that if bad guys managed to hack into a weaker site that has the same password you use for everything else, everything else is just as vulnerable for you as the site that just got hacked. Bad ju ju.

If you use one password to log into everything, and I capture it, I can use it to log into everything you do. Never use the same password to log into two or more systems.

-Jason

]]> Comment on Security from Obscurity: Building a Security Program, Define the Domain by Caiya http://shadesofgraysecurity.com/building-security-program-part2/comment-page-1/#comment-2555 Caiya Fri, 15 Jul 2011 06:09:33 +0000 http://shadesofgraysecurity.com/?p=160#comment-2555 It's much easier to unesdtrand when you put it that way! It’s much easier to unesdtrand when you put it that way!

]]> Comment on Security from Obscurity: Building a Security Program, Define the Domain by Security from Obscurity: Building a Security Program, Understanding the Standards | Shades of Gray Security http://shadesofgraysecurity.com/building-security-program-part2/comment-page-1/#comment-112 Security from Obscurity: Building a Security Program, Understanding the Standards | Shades of Gray Security Thu, 18 Mar 2010 23:34:24 +0000 http://shadesofgraysecurity.com/?p=160#comment-112 [...] about a few different standards, and focus on the one you most likely should start with. In the last installment we touched on ISO 17799. This is probably the best place to start to build a security program. [...] [...] about a few different standards, and focus on the one you most likely should start with. In the last installment we touched on ISO 17799. This is probably the best place to start to build a security program. [...]

]]> Comment on Contact Us by Security from Obscurity: Building a Security Program, Define the Domain | Shades of Gray Security http://shadesofgraysecurity.com/about/contact/comment-page-1/#comment-41 Security from Obscurity: Building a Security Program, Define the Domain | Shades of Gray Security Tue, 15 Sep 2009 00:01:30 +0000 http://shadesofgraysecurity.com/?page_id=141#comment-41 [...] Contact Us [...] [...] Contact Us [...]

]]> Comment on Security from Obscurity: Building a Security Program, Intro by Security from Obscurity: Building a Security Program, Define the Domain | Shades of Gray Security http://shadesofgraysecurity.com/building-security-program-part1/comment-page-1/#comment-40 Security from Obscurity: Building a Security Program, Define the Domain | Shades of Gray Security Tue, 15 Sep 2009 00:00:28 +0000 http://shadesofgraysecurity.com/?p=106#comment-40 [...] our first installment, we decided who needs to be involved in the program and an idea of how it is structured and to whom [...] [...] our first installment, we decided who needs to be involved in the program and an idea of how it is structured and to whom [...]

]]> Comment on Contact Us by building a security program from scratch | Shades of Gray Security http://shadesofgraysecurity.com/about/contact/comment-page-1/#comment-37 building a security program from scratch | Shades of Gray Security Mon, 07 Sep 2009 17:51:36 +0000 http://shadesofgraysecurity.com/?page_id=141#comment-37 [...] Contact Us [...] [...] Contact Us [...]

]]> Comment on Killing bugs, a Social Engineering Odyssey by Killing Bugs, a Social Engineering Odyssey | DC225 http://shadesofgraysecurity.com/killing-bugs-social-engineering-odyssey/comment-page-1/#comment-11 Killing Bugs, a Social Engineering Odyssey | DC225 Wed, 24 Jun 2009 20:04:24 +0000 http://shadesofgraysecurity.com/?p=36#comment-11 [...] continued at social engineering true story – Shades of Gray Security. Tags infosec• social engineering Leave a Reply Click here to cancel [...] [...] continued at social engineering true story – Shades of Gray Security. Tags infosec• social engineering Leave a Reply Click here to cancel [...]

]]> Comment on No Firewalls for Stupid by Chuck http://shadesofgraysecurity.com/no-firewalls-for-stupid/comment-page-1/#comment-10 Chuck Wed, 24 Jun 2009 18:26:17 +0000 http://shadesofgraysecurity.com/?p=5#comment-10 That being said... I love stupid people. They generally keep me employed. That being said… I love stupid people. They generally keep me employed.

]]> Comment on No Firewalls for Stupid by Twisted http://shadesofgraysecurity.com/no-firewalls-for-stupid/comment-page-1/#comment-9 Twisted Wed, 24 Jun 2009 16:28:48 +0000 http://shadesofgraysecurity.com/?p=5#comment-9 As long as there are people excited to get greeting cards for no particular reason, from people they don't even know, there will always be people fighting Conficker. "I'm sorry Mr. CEO, that wasn't a stranger showing you some unexpected love, that was a virus. You lose one internets." As long as there are people excited to get greeting cards for no particular reason, from people they don’t even know, there will always be people fighting Conficker. “I’m sorry Mr. CEO, that wasn’t a stranger showing you some unexpected love, that was a virus. You lose one internets.”

]]> Comment on No Firewalls for Stupid by Chuck http://shadesofgraysecurity.com/no-firewalls-for-stupid/comment-page-1/#comment-8 Chuck Wed, 24 Jun 2009 15:31:56 +0000 http://shadesofgraysecurity.com/?p=5#comment-8 Great site! All the security in the world doesn't prevent someone from doing something stupid. You can usually mitigate stupid at the end user level, but once it travels too far up the chain it's over. I'm still amazed that people are still fighting with things like Conficker even though it's basically been defeated months ago. Great site! All the security in the world doesn’t prevent someone from doing something stupid. You can usually mitigate stupid at the end user level, but once it travels too far up the chain it’s over. I’m still amazed that people are still fighting with things like Conficker even though it’s basically been defeated months ago.

]]>