[cryptography] philosophical question about strengths and attacks at impossible levels

Randall Webmail rvh40 at insightbb.com
Sat Nov 20 00:20:04 EST 2010


> > A common, perhaps the most common, attack on corporations is 
> to get
> > inside the corporate network through wifi, then mount an sql 
> injection> attack on the corporate database, then steal the 
> corporate database.
> > This often causes extremely large monetary losses.

A very large percentage of corporate systems have effectively no security.   To my personal knowledge, one of the largest specialty chemical companies on the planet saw their CIO depart for Costa Rica after making some bank transfers that were unauthorized.

He left without telling anyone (or writing down) the passwords.

Luckily, he hadn't bothered to actually change passwords from their default.   Thus the PW for the Oracle database was "Oracle" and the firewall PW was "Password".

A national property and casualty insurer has servers in every agent's office (and agents in every state).   The password to those servers is PaSsWoRd.

The CEO of a national health insurer has a luxurious executive suite with a jacuzzi and sauna in a city which I will not name, so as to protect the identity of the guilty.   His login/pw is on a yellow sticky note, stuck to his monitor.

These things I know, from personal experience.

What's more, hundreds of other people also know these things about these companies.   When they all upgraded from NT to XP, hundreds or thousands of Monkeys With Screwdrivers did the actual upgrade, and every one of those monkeys knows the passwords.

And yet the world has failed to end.

Curious, that, eh wot?






More information about the cryptography mailing list