Here are the security threats I found relevant recently.
Scenario 1 (Your kids are the back door)
Recently while conducting a pen test of a web application we were able to escalate our privileges and gain access to the entire database though a SQL injection vulnerability. My colleague says "hey this username looks really familiar. I think I know this guy." So we query his password as part of the evidence we need to make our case that SQL injection really is bad. (Upper management does not always agree unless you can give them shock and awe). Once the password is revealed, all is made clear how my colleague knows this user. His wife happens to be involved in a social event where this user's kid also belongs. This particular password is a maneuver the kid performs in a sport he is interested in. It was the combination of the sport plus a significant date in the users life. To make matters worse it was also his kids myspace page screen name!!!! Just knowing a little information about this user would make it relatively easy to gain access to this account. Kids are your life and you can't help talking about them and their interests. This is also why they don't make good passwords!
Scenario 2 (Babies are bugging my house!)
I know quite alot of people with babies right now. Its my age bracket for sure. They are everywhere! Crawling, drooling, spitting up, and listening for bad habits to pick up on. But one thing that is also common about all people that have babies is baby monitors. And some people never think to turn the base off! Who needs the patriot act when you have wireless communications bleeding into the neighborhood voluntarily. This is the incident that inspired me to write this article. We where listening in on the conversation with the baby monitor and it becomes apparent that this user is talking to his credit card company about a dispute. We are given the cvv, the full number, SSN and his address which should not be hard to find since you know its within a one or 2 house radius. And lets say you don't know the address and you want to find it. Here are the clues.... look for parents with babies, toys in the yard, or pretend to be a Jehovah's Witness and walk door to door. Your friend sitting in the car with the baby monitor will hear the knock on the door and then you will know.
Conclusion
I know i'm prolly speaking to the choir for anyone actually reading this but here is my advice. Be careful about the information you use to protect your self. Use strong passwords letters numbers and special characters if you can. I like passphrases. They are much harder to guess or brute-force and it makes it easier to remember a 30 character password this way. (i.e. IL1k32B10ggAb0tP3nT3st1n9 ). Try not to use anything as a password that is really important to you. More than likely you talk about it alot and your kid is blogging about it. A little reconnaissance and you are pwnd! Be careful what you say around the baby monitor base. This should be obvious. Anyone within at least a 2 house radius can hear you if they want to.
Slashdot It! |