69 pointsby ike_usawa4 hours ago6 comments
  • mikestew3 hours ago
    ”Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password.”

    Capitalize that “w”, and you’ve got a password that will pass most PWD policies. Why do they think it was “winter2023!” to begin with? In 90 days when the PWD expires, well, it will be spring of the next year, so…

    The better idea is to require passwords with some real entropy, and get rid of expiring passwords. It’s not 1999 anymore.

    • mikestew15 minutes ago
      Replying to my own post: wait a minute, why are there so many accounts with the same password in the first place? Oh, because "dozens" of people are tired of changing their password every 90 days, and someone piped up on an email thread (with the subject line: "Changing passwords all the time is bullshit!", I'm sure) and said, "I just set it to $SEASON$YEAR'!'. Easy to remember, fits the policy."

      And now you have a system that is far less secure than if you just ditched the expiration policy to begin with.

    • alt227an hour ago
      Expiring passwords are one of my biggest gripes, and I still see them everywhere
      • grg0an hour ago
        Expiring passwords and length limits. Why can't my password be a 5KB long? My password manager has no limits. Are people storing them in plain text in 2026?
        • ryandrake42 minutes ago
          And content limits. Why can't my password contain the % character? No special characters? What makes a character "special"? Why can't it contain emoji? So many password systems go to great lengths to remove potential entropy and randomness from passwords with their rules. The usual excuse is "blah blah blah legacy systems" which is not a good reason.
          • fph23 minutes ago
            Personally, I wouldn't use anything beyond ASCII in a password. I don't want encoding bugs to lock me out of my encrypted partition or bank account, thank you very much.
        • sgc39 minutes ago
          I ran into a website for work that would let you create a long password, but silently truncate it to 12 characters before saving. Mind boggling.
          • j4k325 minutes ago
            This happens on some HP printers too, the web interface lets you happily enter lengthy passwords, but doesn't bother telling you it truncated the entry at 16 or 12 characters.
          • halJordan34 minutes ago
            This is the best. Especially when the password is being autotyped by the pw manager and so you never see the truncation and now have a bad pw saved in your manager. Alongside a restrictive password policy with no ui explaining what the policy is.
        • mschuster9144 minutes ago
          I wouldn’t trust enterprise internet security boxes to not trip on such long text fields.
      • wpman hour ago
        My company does it to our phone passcodes. 90 days.
    • Xeoncross3 hours ago
      1. Open a web browser and do a search

      2. Read until you find a sentence that you like.

      3. Use it as your password

      • raffraffraff3 hours ago
        How about mixing up band names? Take the end of "Florence and the machine" and mix it with the start of "Rage against the machine" and you now have the totally unguessable "Rage sharing the machine". It's a different machine see?! Nobody would know that!
        • NopIdoNan hour ago
          The The but the first The is from The Who
      • ChrisRR3 hours ago
        I like the last line of your comment

        My password is now password

        • nickweb16 minutes ago
          That's cool. Yours comes up as stars (*). Must be a HN thing.
        • daredoes2 hours ago
          Should have been "use it as your password"
        • hnthrow102829103 hours ago
          Hacked
      • glitchc3 hours ago
        Not enough numbers or special characters usually.
        • lukan2 hours ago
          Use one specific special character/number as word separator.
        • chopin2 hours ago
          I loathe two things in password requirements: special characters and not allowing spaces. C'mon, it's 2026. Require 20 characters and call it a day.
          • Xeoncross2 hours ago
            "password is to long, max length..."

            (╯°□°)╯︵ ┻━┻

            • Volundran hour ago
              I couldn't decide which sentence of Alice in Wonderland was my favorite, so I just used the full text.
    • 2 hours ago
      undefined
    • samrus3 hours ago
      I swear if the ghouls running things had abit more decency and allowed people to actually access and controll their passkeys then that would be the future, everyone would adopt it. The experience is so nice with key pair exchange for ssh. Its just that there i have thr security of knowing exactly where my secret is and how i can manage it, its just a file and i can move it like a file

      Nobody wants the risk of getting locked out because of apple and googles walled garden bullshit

    • James_K2 hours ago
      Letting users pick their own passwords has always been a mistake. If passwords are needed, the system should choose them.
      • NopIdoN2 hours ago
        just directly give them a post-it for their monitor
      • kgan hour ago
        As a person with memory issues, this is a recipe for me writing a password down where somebody else can probably find it.
        • ryandrake40 minutes ago
          If your machine or service is connected to the Internet, 631U)VN0Onl? written on a post-it note is generally going to be better than hunter2 not written down.
        • fouc42 minutes ago
          but post-its are vulnerable to the wrench attack!
  • UnfitFootprint2 hours ago
    Being overly suspicious of everyone is a terrible way to live. Maintenance should have the autonomy to do as they did here - and security correctly followed up. The right response should only be technical imo. A meeting room should not lead to this level of network access.
    • lokaran hour ago
      A better approach is to train everyone to be polite and helpfully walk the person to reception, who can arrange access.
    • Volundran hour ago
      > Maintenance should have the autonomy to do as they did

      Really? We're talking about letting strangers in through the literal back door.

  • mannyv2 hours ago
    Maintenance employees are the weakest link. They aren't paid much and don't believe anything is important.

    Be nice to them and they'll be nice to you back.

  • lima3 hours ago
    The company also should have restricted network access to the port in the conference room so that an unknown device like a Raspberry Pi could not make an Ethernet connection from that spot

    Bad take - the actual problem is that there was a trusted network in the first place. This kind of network access control is trivial to bypass, and trusted devices can get compromised.

    • Symbiote2 hours ago
      It's not my field, but at least at my work the network can somehow tell the difference between an authorized user and not. It is not simply using the MAC address.

      A guest device connected to the ethernet port in the conference room has the same access as a device connected to the guest wifi, a staff laptop has it's usual access.

      • onraglanroadan hour ago
        Probably a RADIUS server setup.

        Basically staff machines get a certificate to present to the server and the server controls the network.

        So, if your machine does nothing, it's on the guest vlan and has limited access. If it presents a valid certificate that network port is reassigned to the staff vlan and you get full access.

        If someone leaves, you just revoke the certificate and they have guest access again.

        Not rocket science once you know it :)

        • lokaran hour ago
          Still better to do that same thing (cert based auth) at the application layer instead of the network layer.
          • EvanAnderson13 minutes ago
            That's great when you have control of your applications. For most corporate IT you're stuck with COTS applications and whatever their built-in auth functionality is. Sure, you can probably bolt a reverse proxy in front (if you're lucky enough for it to be a web app and not a thick native code client) but you get to argue with the vendor when they refuse support because you're not using their recommended configuration.

            802.1x certificate-based authentication at layer 2 is a good defense in depth strategy.

          • onraglanroad16 minutes ago
            Yes, you can do it by MAC address instead but that can be changed so you can spoof a legitimate device.

            Edit: oh wait, you mean have the applications check the certificate? Yes, but then you need support from the application. Does your printer do that, for example? You need to make sure everything does. You can of course do both.

  • bell-cot10 minutes ago
    > There are a lot of lessons here, but they start with training every member of the team to be suspicious of people coming from the outside, without badges, no matter what they say or do. Schloss noted that, if someone looks and acts like they belong in a space, most people will treat them that way.

    > “First and foremost, what most people believe is crime is not crime. It's a Hollywood myth of what crime looks like,” Schloss told us. “I call it the ski mask bias. Everyone assumes you're not getting robbed until a person comes in with a ski mask and a gun yelling.”

    I call this "Trained By Hollywood Syndrome". It's a huge problem, and far beyond mere computer security.

  • z3ugma2 hours ago
    What always gets me about these red team attacks is the same thing that gets me about internal phishing test emails.

    My company sent an internal phishing test last week. Several people immediately reported it to a cybersecurity engineer, posted about it in Slack, saying they were surprised that such a sophisticated phishing attack was happening.

    I too was surprised - Google is usually much better about catching these kinds of things in the GMail filter before they get through. Oh well, sometimes one slips though. Reported it and moved on

    Come to learn that the only reason it made it through is because we let it through _on purpose_.

    By analogy to these red team attacks: _theoretically_ someone could rent a car, pose as an employee, and set up a Raspberry Pi in the network.

    But who would go to all that trouble?

    Theoretically, someone could craft a perfect phishing attack, but who would go to all that trouble? Spray-and-pray, low precision, high surface area, attacks are the ones I end up reading about.

    The only reason this attack vector was open is because the red team stood to gain a massive benefit from succeeding in the attack. What real-world actor would go to the trouble and stand to benefit as much?

    • toast018 minutes ago
      > Theoretically, someone could craft a perfect phishing attack, but who would go to all that trouble? Spray-and-pray, low precision, high surface area, attacks are the ones I end up reading about.

      I've been at a company that was well targetted. I forget which group it was, but they were got into a lot of customer service sites that week; not ours, but we had some near misses. Almost got me, sent me an email from the boss with 'The blog is down' and a link ... I was checking my mail on mobile as I was out the door, but of course mobile doesn't show any useful headers like from address.

    • lnsruan hour ago
      Imaginary country called Nicha can’t buy lithography machine from imaginary company called SAML. Nicha can kidnap some scientists and torture them to get all the secrets. But it’s not elegant. Nicha can pay a lot for hacking and get the result in anonymous way. I guess 8 figures can be paid easily for these secrets. With that money “red team” can launch very nice multifaceted social hacking attack.
    • lokaran hour ago
      I remember at some point Google disallowed more phishing attacks from red teams. Nothing new was being learned. They always work.
    • Volundran hour ago
      > But who would go to all that trouble?

      I mean, a company I worked at had a significant amount of money stolen after the attackers spent 6 months sitting on their access waiting for the right moment to fake an (expected) reply to an email exchange. The original breach (or at least the breach of this executives account) involved a very targeted phish. When the potential payout is millions it justifies a lot of effort.