Poxy Password Policies ...

There is a debate rambling along on our corporate social media platform (Yammer) – someone spotted some excellent advice from GCHQ advising against having corporate password policies that force the users to change their password at too frequent intervals.

Once the user has realised what this entails they will create the following password structure …
MagicWord99
99 represents any number between 00 and 99 and I am sure that if they have worked at organisation X for long enough they could make the leap to three digits.

The problem is that if an older password is compromised – for example via a key logger that managed to get by all anti-malware security (which they can do). The password methodology is revealed – you may have changed your password to 99+1. Yet the attacker still knows your password, in spite of corporate policy.

The same applies for the encryption of USB – not that we are conflating two different technologies. Forcing full encryption and password protection of USB drives means that:
  1. I will avoid using them – viva la cloud.
  2. Those who do may now create a shared password – facepalm
  3. Others may now stick the password on the wall, screen, department cat or USB stick – facepalm++
Even when capable individuals share what is happening on our social media platform. Our IT souls seem to be in dismal denial – it is policy they explain. Yep – an utterly useless policy that has been debunked by experts.  They try to claim that external compliance forces this - for an entire university, hmmm, maybe for a section. Has nobody tried network segmentation - or additional layers of security for risk systems?

Passwords need to change – the frequency lowered and the need to write a rule that stops incremental digits. (off hand I cannot recall if Microsoft offers this – to be fair, I can see where any network admins hands are tied).

We do not know if there has ever been a data breach at the OU via USB – chances are if data is escaping, we are probably pissing it out via the cloud. We collaborate with an innumerable number of external parties – this is what academia does. Rather than comply with policy – we are working around a set of rules better suited to a grey suited corporate monolith.

Alas – lateral thinking and maybe asking those who work intellectually in this field may be a start. Sadly this is not the only case for my University, one encounters this in many other academic spheres.





Comments

Post a Comment

Popular posts from this blog

Wikipedia editors never walk alone: Hillsborough changes can be traced ... from @ConversationUK

Image
By Andrew Smith , The Open University According to the Liverpool Echo , UK government computers have been used to make offensive comments on the Wikipedia page detailing the 1989 Hillsbourgh Disaster over a number of years. The newspaper reports that revisions to the page have been made from computers using the government’s secure intranet since 2009. They include insults to Liverpool fans and a comment suggesting that fans were responsible for the football ground disaster, in which 96 people died. This case highlights the continual issue of trolling and cybervandalism on Wikipedia. It also shows how journalism is using good, technical forensic tools at the disposal of every cybercitizen. Cybercitizens can be good or bad So many of us use Wikipedia on a daily basis that it is one of the most visited websites in the world. Yet not that many of us really understand how it works. Wikipedia is based on the principle that the community can create, edit and refine pages covering
Read more

If airlines offer in-flight Wi-Fi, they should invest in an extra black box for security ...

Image
Yijun Yu , The Open University and Andrew Smith , The Open University In-flight Wi-Fi is one of the most sought-after facilities for air travellers these days, now that laptops and smartphones are so common and so much of our working and personal life revolves around online services. But a US Government Accountability Office report has suggested that many in-flight wireless networks could expose the plane to being hacked or remotely controlled . In fact it’s of such a concern to US authorities that when a well-known computer security expert made an admittedly ill-thought-out joke about doing so on Twitter, he was promptly arrested, his computers confiscated, and subsequently banned from the airline . And all he was suggesting was to make the oxygen masks drop down. So it would appear that the stuff of Hollywood may jump from fiction to fact: Liam Neeson and Julianne Moore starred in the 2014 film Non-Stop , where a passenger hacking the aircraft’s internal wirel
Read more

Highlights and lowlights of 2014, a golden year for cybercrime from @ConversationUK

Image
Looking back, 2014 was not a good year for keeping things safe under digital lock and key. If a score was being kept, it might seem that the cybercriminals are in the lead, despite the valiant efforts – and own goals – from the cybersecurity profession worldwide. Cast your mind back to March , everyone was panicking about the HeartBleed bug. Based on an error in code upon which the majority of the world’s secure servers relied, experts had plenty of time to fix the issue. Sadly there was an array of conflicting information about changing passwords, leading to widespread confusion. While most IT administrators made sure this was managed in a professional manner, it created a stir that seemed to set the tone for the year. In May , online auction giant Ebay admitted to having been compromised. The site said its systems, with personal details of tens of millions of users, may have had been vulnerable for months. Everyone was advised, indeed forced, to change their password. In the
Read more