414

Tech workers - what did your IT Security team do that made your life hell and had no practical benefit?

posted
by
Avatar
Krudler@lemmy.world
in
Avatar
asklemmy@lemmy.world
258 comments
hidereport

One chestnut from my history in lottery game development:

While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.

Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.

Sort:
HotTopControversialNewOld
You are viewing a single thread.
View all comments
Avatar
neveraskedforthis@lemmy.world
150 points

Banned open source software because of security concerns. For password management they require LastPass or that we write them down in a book that we keep on ourselves at all times. Worth noting that this policy change was a few months ago. After the giant breach.

And for extra absurdity: MFA via SMS only.

I wish I was making this up.

permalink
report
reply
Avatar
slazer2au@lemmy.world
31 points

Do you work for a government?

permalink
report
parent
reply
Avatar
JackGreenEarth@lemm.ee
87 points

Banning open source because of security concerns is the opposite of what they should be doing if they care about security. You can’t vet proprietary software.

permalink
report
parent
reply
Avatar
DKP@lemmy.world
38 points

It’s not about security, it’s about liability. You can’t sue OSS to get shareholders off your back.

permalink
report
parent
reply
Avatar
Hobart_the_GoKart@lemm.ee
15 points

Care to elaborate “MFA via SMS only”? I’m not in tech and know MFA through text is widely used. Or do you mean alternatives like Microsoft Authenticator or YubiKey? Thanks!

permalink
report
parent
reply
Avatar
Appoxo@lemmy.dbzer0.com
12 points

Sim swap is quite easy if you are convincing enough for support at an ISP doing phone plans.
Now imagine if I sim-swapped your 2FA codes :)

Exactly this. Instead you should use a phone app like Aegis or proprietary solutions like MS Authenticator to MFA your access because it’s encrypted.

permalink
report
parent
reply
Avatar
Hobart_the_GoKart@lemm.ee
6 points

Thenks! I really don’t want to be forced into an app, but it’s good to know the reason why.

permalink
report
parent
reply
Avatar
Funwayguy@lemmy.world
35 points

Through a low tech social engineering attack referred to as SIM Jacking, an attacker can have your number moved to their SIM card, redirecting all SMS 2FA codes effectively making the whole thing useless as a security measure. Despite this, companies still implement it out of both laziness and to collect phone numbers (which is often why SMS MFA is forced)

permalink
report
parent
reply
Avatar
Hobart_the_GoKart@lemm.ee
8 points

TIL! thanks for the explanation.

permalink
report
parent
reply
Avatar
KevonLooney@lemm.ee
1 point

SMS 2FA is used because it’s better than nothing and it works for 98% of people. Not many people have Google Authenticator, let alone other varieties.

The major weak link in security is people, not technology. People can be convinced to give up the 2FA code regardless of whether it’s a text or code in an Authenticator app.

permalink
report
parent
reply
Avatar
jaybone@lemmy.world
3 points

To collect numbers, which they sell in bulk, to shadey organizations, that might SIM Jack you.

permalink
report
parent
reply
Avatar
JigglySackles@lemmy.world
15 points

I tried so hard to steer my last company away from SMS MFA. CTO basically flat out said, “As long as I’m here SMS MFA will always be an option.”

Alright, smarmy dumbass. I dream of the day when they get breached because of SMS.

permalink
report
parent
reply
Avatar
Aceticon@lemmy.world
3 points

If I remember it correctly, in GSM it’s perfectly possibly to spoof a phone number to receive the SMS using the roaming part of the protocol.

The thing was designed to be decently safe, not to be highly secure.

permalink
report
parent
reply

Ask Lemmy

!asklemmy@lemmy.world

Create post

A Fediverse community for open-ended, thought provoking questions

Please don’t post about US Politics. If you need to do this, try !politicaldiscussion@lemmy.world

Rules: (interactive)

1) Be nice and; have fun

Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can’t say something nice, don’t say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'

This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spam

Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reason

Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.

It is not a place for ‘how do I?’, type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija

Logo design credit goes to: tubbadu

Community stats

  • 11K

    Monthly active users

  • 4.3K

    Posts

  • 232K

    Comments

Community moderators