SoylentNews is people
SoylentNews
Nick and Margaret: The Trouble with Our Trains is a BBC Two show featuring Nick Hewer and Margaret Mountford, who explore "the sorry state of the British rail network."
The dynamic duo's travels took them to the Wessex Integrated Control Centre, located above the platform entrances at London Waterloo railway station, manned 24 hours a day by teams of controllers from both South West Trains and Network Rail.
[The] documentary revealed more than it planned this week, exposing the passwords used at a rail control centre.
The article features a frame of the video which shows the complex login credentials taped to an LCD panel of a Windows XP terminal.
One might wonder if overstrict password policy brought this about, except obviously a strict password policy would not allow the password that is stickied to the monitor..
(Score: 5, Insightful) by vux984 on Monday May 04 2015, @11:21PM
We've replaced poor security with even worse security
The new password at least requires physical access to something not many will have physical access too. The slip of paper taped under the keyboard really isn't that bad. Its not good, of course, but nobody in a basement somewhere in some foreign country is getting at it easily there. So that's at least good. Anyone in the office can get to it... but odds are most of them should, and/or are at least somewhat trusted. Its still poor password management don't get me wrong, but its probably better than it being "password123" and not written down.
In other words the old system was trivially remotely vulnerable; the new system is trivially locally vulnerable... but "locally" is a smaller and more controlled space occupied by people who were trusted enough to hire... so that's actually quite a bit better than it was.
Taped on the monitor is of course much worse than under the keyboard... due to it being that much more exposed. So its bad. Employee should be disciplined or even fired bad if its an important password. But even this is better than just having a trivial password. Someone still has to get onsite to see it in most cases as most of us don't have TV crews filming in our offices to broadcast it to the world.
I don't know the answer, but it's not this.
Password safes I think are the current best answer for most passwords for most users.
Even taped to the monitor isn't usually that bad... how many of our offices end up on HDTV? Mine never has. But yeah, keeping it out of sight should be at least common sense. I use password safe myself, which is pretty good, and I can use the passwords most of the time without ever having to see them... double click the entry and its copied to the clipboard. Although some systems and websites that for whatever reason have prevented pasting from the clipboard to the password field require me to display it on the monitor to copy manually.
(Score: 2) by snick on Monday May 04 2015, @11:40PM
In other words the old system was trivially remotely vulnerable.
Not. True.
In order to "hack" an easily guessable password, either the system must allow multiple login attempts without throwing up a red flag, or the hashed passwords have to be stolen. Password nazis make the assumption that insane password policy (onus on the end user) are manageable and actually securing the hashed password (onus on ... well, usually on the password nazi him/herself) is an impossibility.
SECURE YOUR FUCKING SYSTEMS AND PASSWORDS THAT WE HAVE BEEN TOLD ARE WEAK ARE ACTUALLY JUST FINE.
(Score: 3, Interesting) by vux984 on Tuesday May 05 2015, @12:22AM
In order to "hack" an easily guessable password, either the system must allow multiple login attempts without throwing up a red flag
So it throws a "red flag". Then what? Anyone serious about remotely guessing passwords will throw them at you from various random ip blocks etc. I run an SFTP server at home for example, and its constantly hit with password attempts, after a few fails from an ip it throws up a short ban on that ip address, and I can review the logs. But what's the point, every day, there's dozens to hundreds of login attempts from somewhere or other.
So if its easily guessed or present on a top 5000 passwords list or something they'll be in within a few days. A few minutes if they have a botnet.
Password nazis make the assumption that insane password policy (onus on the end user) are manageable and actually securing the hashed password (onus on ... well, usually on the password nazi him/herself) is an impossibility.
Oh i fully agree with you. But end users have to live in the world as-it-is and need mechanisms to cope. Even if you convince your own internal IT admin of a sensible policy; so what... I'm not going to convince the other 50 websites and systems I need access to. From Google to Microsoft to my registrar to Amazon... to that place I buy used lego...
PASSWORDS THAT WE HAVE BEEN TOLD ARE WEAK ARE ACTUALLY JUST FINE.
Yes, at least some of them are. But an awful lot of them appear on a top 1000 password list. That's why its a "top" list.
Securing the password hashes and properly logging accesses/access attempts only gets you so far. If your users are using a password on a top list somewhere, they'll get in.
(Score: 2) by urza9814 on Tuesday May 05 2015, @07:08PM
I'm not familiar with any password lock-out systems that work the way you seem to be assuming. Every one I'm familiar with locks *the user account*, not the IP trying to connect. So it doesn't matter how large their botnet is, they still only get three tries. And then generally the account is locked pending manual intervention, which may be hours or days before they get another three attempts. Good luck brute-forcing your way past that...
Of course, a decent password is still better than a "most common" password, but if you're relying solely on password complexity to protect you from a brute-force attack, you're doing something wrong.
And regarding the local attacks -- Where I work, if you want access to a system, you submit a request and someone who has no idea who you are or what you do makes sure you included the required information and approves it. Usually you do have to get it approved by one of your ten managers, but they don't *really* know what you need either so they'll approve anything. And people share passwords, and there's some common service accounts...of course this is for our PT environments, but those do have production data. The actual prod environments are a bit more locked down, but anyone who works here could easily get read access at least. So it doesn't matter much if the password is stuck to the monitor, because anyone in the building can probably access that account anyway. And if the concern is that they might use that computer on someone else's account...that would all be captured by the security camera. It's bad practice, sure, but it's far from the top concern in the vast majority of cases. Except one like this, of course...
(Score: 2) by vux984 on Tuesday May 05 2015, @10:47PM
Every one I'm familiar with locks *the user account*
Those are the exception not the rule. Hell, these days even most corporate office systems don't have policies in place like that anymore. Far too easy to DOS an entire company. Think about it... does gmail or office 365 or facebook or twitter or amazon or your domain registrar or dropbox or even soylentnews... or any major site on the internet lock you out like that after some small number of attempts? Can you imagine just how much havoc you could create if they did?! I've even seen corporate guys DOS themselves out of their own systems under that regime ... where they have a laptop or tablet at home periodically checking their mail or something; and then they reset their password at work; and the laptop at home just hammers on the account with the old password locking it out within minutes of it being reset... all day long because there's nobody there to turn the damned thing off. And getting IT throw in a firewall rule just to block some guys home IP address until the end of the day is too much grief unless its a CxO.
So it doesn't matter how large their botnet is, they still only get three tries. And then generally the account is locked pending manual intervention, which may be hours or days before they get another three attempts.
Yes, If you prioritize keeping unauthroized people out above getting authorized people in that is exactly what you will achieve. That will work well unless you have users that NEED to actually login.
Of course, a decent password is still better than a "most common" password, but if you're relying solely on password complexity to protect you from a brute-force attack, you're doing something wrong.
What mechanism would you suggest for facebook et al beyond what I've suggested? Throttling the incoming brute force searches so that it will take them generations to search the password keyspace is about as good as it gets. Locking out millions of users who have no real recourse to support is absurd, and even 3 hour account lock would never fly. Even 5 minute account locks would never fly. You could still DOS anyone's account for whom you knew the username. And usernames aren't generally secret or particularly hard to guess.
And regarding the local attacks -
I pretty much agree with you here.
(Score: 2) by urza9814 on Wednesday May 06 2015, @12:25PM
Right, I mean you can't do it for something like Facebook or Gmail...I was talking more about the internal corporate network. I'd assume the password taped to the monitor in this story wasn't for someone's Gmail account. But at my office all our Unix and Linux systems, all the databases, all the local Windows logins...almost any internal systems lock you out after too many failed attempts. There's a couple that don't, but they're less critical and not externally accessible (ex: our ticketing system)
Actually this brings another point to mind as well...this would seem to present an interesting case against outsourcing your IT infrastructure to "the cloud". A cloud provider would never enable account locking because they don't want to deal with constant unlock requests, and they don't have a good way to prove that a user is who they claim to be anyway. But a local admin should have no problem handling that.
(Score: 2) by vux984 on Thursday May 07 2015, @02:33AM
I was talking more about the internal corporate network.
But at my office all our Unix and Linux systems, all the databases, all the local Windows logins...almost any internal systems lock you out after too many failed attempts. There's a couple that don't, but they're less critical and not externally accessible (ex: our ticketing system)
That seems backwards. The ones that AREN'T remotely accessible are at far less risk of DOS; its the ones that ARE externally accessible you can't use an account lockout on!!
And depending on the definition of critical, the ones that that ARE most critical are the ones you can not afford to be locked out of. Its only the relatively non-critical stuff that you can afford to fart around with the help desk for 20 minutes to get a locked account unlocked.
Actually this brings another point to mind as well...this would seem to present an interesting case against outsourcing your IT infrastructure to "the cloud".
Agreed. One well known disadvantage to the cloud is that your security and admin personal are often connected via exactly the same routes and network connections potential attackers are. That makes it a lot harder to kill their connection -- because you can very easily kill yours too in the process. If the server is in a rack in the next room, you can shutdown network interfaces. clean it, harden it, and bring it back online much easier.
(Score: 2) by urza9814 on Thursday May 07 2015, @12:54PM
Well, in our production environment *people* don't login to those systems, only software does. So you encrypt the password in the software config somewhere. It won't get locked out unless it's under attack. Of course, we have the same setup on all the test environments, so there you'll have people logging in, and periodically getting themselves locked out. But that's not really a problem.
Ah, yeah, I should have written that a bit different -- we don't really have any external systems of any significance. I work on retail pharmacy software, so we've got our website and we've got Outlook web access and that's all I can think of right now. I'm not sure if the email locks you out, but definitely all the systems where you could access the really important stuff -- like patient data, prescriptions, insurance info, that sort of stuff all locks after three attempts. So you might be able to brute-force your way into someone's store loyalty card account, but that's about it.
So a network like the train control systems this article discusses, there shouldn't really be any externally accessible systems. There's very little the public needs to interact with. So you should be able to put lockouts on pretty much everything.
(Score: 0) by Anonymous Coward on Wednesday May 06 2015, @02:59PM
Not if you combine it with an SMS unlock system (you can unlock your account by having an SMS sent to you using a phone number you've previously stored in the system, which contains a one-time unlock code; as bonus, you could have the user enter the phone number, but still only send the SMS if it matches the previously saved one; that both acts as additional — though not very strong — password, and as protection against people getting a new phone, but forgetting to update the number in the database). Then unlocking takes only slightly more time than normal login, but the attacker will have to wait until the user happens to need access to that account again.
And yes, you could also hack that system. But that's an order of magnitude more difficult than just sending random passwords from botnets, and will only be done by attackers who are really determined to get into your system; but that's not the type of attackers which are stopped by password policies anyway.
(Score: 2) by vux984 on Thursday May 07 2015, @02:19AM
Not if you combine it with an SMS unlock system (you can unlock your account by having an SMS sent to you using a phone number you've previously stored in the system
And then 5 minutes later the entire company is locked out again. How many times in one day are you going to SMS unlock your account before you realize letting a random person on the internet lock you out in the first place is too tiresome to tolerate.
You might as well just go two-factor auth, since you have to use SMS anyway to login. And that completes the circle ... why bother worrying overmuch about locking the account after 3 attempts if you are using 2 factor auth anyway?
(Score: 2) by frojack on Monday May 04 2015, @11:40PM
There are a lot of security holes in password safes, and any thing in the clipboard on windows is pretty vulnerable to being plundered by any application.
I'd recommend the dongles. (Actually little USB keys. These are so common you can buy them on Amazon and provision them yourself. Even Google uses them for two factor. [google.com] The software for this is opensource.
Downside: Well having an open USB port is a risk anywhere in a critical infrastructure.
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Monday May 04 2015, @11:46PM
Correction, there are a lot of security holes in SOME popular password safes. Others, not so bad.
But on windows, the clipboard is weak.
No, you are mistaken. I've always had this sig.
(Score: 2) by vux984 on Tuesday May 05 2015, @01:15AM
But on windows, the clipboard is weak.
I understand that it is a vulnerability. But I'm curious how the OSX, Android, iOS, or Linux etc clipboards are more secure than Windows?
A password manager that uses a separate non-clipboard and then is activated by a system hotkey to emit the password to the active application might work better. But it'll still fall prey to keylogging etc. So I'm not sure that accomplishes anything.
(Score: 0) by Anonymous Coward on Tuesday May 05 2015, @10:42AM
X11 has a feature that an application can secure the keyboard, so that keypresses are only sent to that single application, and none other. It seems to be rarely used for password prompts these days, though (actually the only programs that I know to activate it automatically for passwords are Emacs and locking screensavers, and the only program I know where you can enable it manually is xterm).
Of course that doesn't help against keyloggers that intercept the keyboard at a lower level; however it at least increases the difficulty (X11 keylogging can be done from the user account; I'm not sure that this is also possible for lower-level keylogging).
(Score: 2) by Geotti on Tuesday May 05 2015, @12:00AM
Downside: Well having an open USB port is a risk anywhere in a critical infrastructure.
For these cases there's the one-time tokens like SecurID [wikipedia.org]. (Of course something safer than the RSA tokens should be picked!)
(Score: 4, Interesting) by vux984 on Tuesday May 05 2015, @01:04AM
There are a lot of security holes in password safes
Yes. However I think some of them are quite good.
and any thing in the clipboard on windows is pretty vulnerable to being plundered by any application.
So what. If my system has been compromised to that degree, any password I type in manually isn't safe from being recorded either.
I'd recommend the dongles. (Actually little USB keys. These are so common you can buy them on Amazon and provision them yourself. Even Google uses them for two factor. The software for this is opensource.
Which? Stuff like Yubikey? Yes, I agree... those are a great concept. I didn't mention them for the sake of brevity and the fact that they do not in fact work for most users passwords most of the time, which was my criteria.
After all what do you do for sites and systems out of your control that don't support them?
Aa USB key can also be lost or forgotten, it can go through the washing machine, or it can simply fail,... trading "not very secure" for "so secure even i can't get in" isn't necessarily net positive. And if they leave their yubikey on their desk all the time to ensure that doesn't happen... well... how is that really much better than the note under the keyboard?
Downside: Well having an open USB port is a risk anywhere in a critical infrastructure.
USB itself isn't a security risk the way firewire or thunderbolt are, but yes. Although you can at least disable usb storage services and so forth to mitigate the risk. Or switch to the NFC version of yubikey, etc. Truly critical infrastructure should have 2ndary layers... ie... monitoring what is actually put into the usb port, people monitoring who is actually doing the putting in etc.
(Score: 2) by Nuke on Tuesday May 05 2015, @08:50AM
Vux984 wrote :-
The slip of paper taped under the keyboard really isn't that bad...... its probably better than it being "password123" and not written down.
Did you read the TFA that's linked? The password was even dumber than "password123" - it was "password3" - AND it was written down.
(Score: 2) by vux984 on Tuesday May 05 2015, @06:53PM
Yeah, I actually stumbled over that factoid after I posted.
I'd originally misread the line in the summary:
One might wonder if overstrict password policy brought this about, except obviously a strict password policy would not allow the password that is stickied to the monitor..
As:
One might wonder if overstrict password policy brought this about, except obviously a strict password policy would not allow the passwordto be stickied to the monitor..
The takeaway from that revelation is the password was treated as little more than an annoying formality. Which in some cases it is... I have a password on my HTPC main user account for example because certain things don't work as simply if there is no password defined. But the password itself is trivial, never changes, and everyone in the family knows what it is. So sometimes that's appropriate.
I'm not sure offhand whether that is the case here. Even the article speculates that its the local login for that terminal and it may not be remotely exploitable... etc... that it might well be like the family user password on my HTPC.
(Score: 2) by cafebabe on Wednesday May 06 2015, @02:52PM
If you have Flash and you access websites paid by advertising (or web bug placement) then anything which has gone through your clipboard should be regarded as compromised. URLs. Passwords. Telephone numbers. Zip codes. Social Security Numbers. All compromised.
Java Applets have the safeguard that Applets may only communicate with the originating webserver. Flash does not have this safeguard. Nor is it possible to disable access to a clipboard within Flash. Therefore, it is possible to devise Flash adverts which are distributed to
clientsmarks via an advertising network with the intention of selectively contacting a specific server with information of interest.With a small budget, it would be possible to build a contemporary list of potential passwords. With the functionality of your password safe, every password could be in it.
1702845791×2
(Score: 2) by vux984 on Thursday May 07 2015, @02:13AM
If you have Flash
Flashblock, click to activate flash...so that's mostly mitigated.
and you access websites paid by advertising
Well that I do, but between adblock and ghostery ... again most risks mitigated.
But I don't beleive you are wrong with respect to the content of your comment; but lets face it if you use a computer attached to the internet and browse the web then you may have been exploited by a zero day, and have keylogging malware installed... so any password you typed in manually is potentially compromised anyway. flash or no flash. clipboard or no clipboard.