Security

[Easy-X]

With the M&S hack still ongoing, the clean-up at least, I'm going to audit all my PCs, devices and accounts and see if I'm doing any "stoopid shit" My main focus used to be securing my main email account but I think we're at the stage where anything and everything that can be locked down with Two-Factor Authentication (2FA) should be.

Now I hope we're all past the point of reusing simple passwords like George1939 or Password123. Every website account needs a unique random password and given Chrome, Brave, Firefox etc. will generate and save these for you there's no excuses. Then you just have one job: keep your web browser safe. For example, with Chrome it's all tied to your Google Account so keep that locked down and you should be reasonably safe. That's when you should switch on 2FA.

Personally I dislike the 2FA apps. Always a pain when you change phones, even more of a pain if you lose your phone! So I'm changing over to hardware keys and they're pretty easy to get a hold of. Yubikey is a big name, Google have their own Titan Key but anything that does "FIDO2" should work, e.g. locking down your Microsoft Office account, price £25 ~ £50.

Hardware keys, once registered, prompt you when you log into a new device to insert the key (they're usually USB but you can get NFC and Bluetooth versions). If you deem the device "safe" e.g. at your house, you won't get prompted for the hardware key again (although you'll probably have to re-enter the password after a while.) A public computer? Nope, that's not safe but even if that Bangkok Internet Café has a keylogger running, Mr. Chakrii won't get very far unless he steals the hardware key off you. Personally I wouldn't log into my main email account unless it's a device I own. Even a works' computer if you can avoid it, that's what phones are for.

Obviously guard the key with your life, more so even than your phone, but it is at least a physical thing you can hold in your hand and not just some vague promise about data security.
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[stinkwheel]

My main bank account doesn't have an online facility. Any online transactions I do are via credit card, which is someone elses money.

On the rare occasions I need to do a BACS transfer, I go to the branch to do it.

Mr stinkwheel mocked me for not using a store card at our local coop...

I find 2FA a total pain in the arse because I don't usually have a mobile phone on me. It generally spends most of its time on my bedside table as a glorified alarm clock.

I also have a policy of not using my real name for most online interactions which seriously limits the benefit data miners can derive.

My mates call me a luddite. I preferr to think of myself as being aware of the pitfalls associated with networked computing systems and having an awareness that tech should work for me and not the other way round.

The staff at work are horrified by the fact I don't have a smart phone and can't comprehend how I cope without one. Well, I do have one, but it doesn't have a SIM card, I use it as an offline GPS and as a way of connecting to the wifi when I go on holiday. It has its own google account, basically a mini tablet PC.
____________________
“Rule one: Always stick around for one more drink. That's when things happen. That's when you find out everything you want to know.”
I did the 2010 Round Britain Rally on my 350 Bullet. 89 landmarks, 3 months, 9,500 miles.

[Easy-X]

So I have my funky security key. As tech-toys go it's somehow less exciting than a memory stick given the amount of work I have ahead of me

As part of my audit I've found I have passwords saved in Google, passwords saved in not one but two password managers, three 2FA authentication apps on my phone (four if you count the Steam app). If I attempt to link this new physical key to something they all get in a fight and then Microsoft Hello wades in to see what the kerfuffle is all about

I need to move everything to a single password manager, a single authenticator app and this key, then disable/erase all the rest...

https://www.drivingmonitor.com/wp-content/uploads/2022/10/what-could-happen-whats-the-worst.gif
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[Robby]

This would have been a good idea 5 years ago. Nowadays the thinking has moved on. The new approach is that security should be easy, invisible and turned on by default. This is so that normal people don't have to know what they're doing.

So a good approach nowadays, at least for Android users, is to let google handle it. Google password manager will now prompt to use passkeys instead of passwords for sites that support it. These are just better. You also get it backed up into google so there is less trouble if you change phone.

The default google approach to MFA is good, and clever. It doesn't prompt you all the time and be annoying, but it does prompt when it sees an unusual sign-in. Particularly from a new device.

These security controls can be worked around, but it requires someone skilled going after you personally. If you're looking to avoid normal attacks, and cover yourself for your own past stupidity (like re-using passwords on a site that was breached), then there is no need to go too far.

Your new approach appears to just make it easy to have a single breakage or hardware failure and then lose access to everything.

However, if you are dead set on moving to a single offline password manager, Bruce Schneier's password safe is what I would go for.

Final note - you will get about the same level of security and far more resilience against failure by writing the passwords out by hand in a notebook, and keeping it in a drawer at home.

[P.]

I have KeePass for most with the master password for that, in case I forget it or get smacked by a truck, written on a note, laminated, in the garage.

Thats pretty much it Everything is stored, rotated every 3 months with 2FA on Authy, thats all I feel is needed.

Banking is biometric, passcode and text, so I can't really do more.

[Easy-X]

[Ste]

Having all the strongest passwords in the world with all the multi-factor authentication tools that exist wouldn't necessarily have stopped the M&S shitstorm because humans are always the weakest part of the security.

They outsource lots of their IT services and the hackers tricked someone (aka social engineering) into letting them in.

It's taking so long because they're not recovering from backups and restoring stuff, they're rebuilding.

[Easy-X]

I asked my boss the other day: "if I went mad and deleted all the company stuff off our Cloud provider, how long would it take you to get the customer facing systems back up and running?" and he said "less than 24 hours". That's only for a few hundred sites and a few thousand users though.
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[Islander]

[Islander]

[Islander]

[MarJay]

[Robby]

[panrider_uk]

I was at a group meeting of the main Humber Bank factories recently where one of them gave a presentation about how they'd been hacked in a similar fashion.

The hackers had been in their system for several months before they triggered the malware.

Took them several months and £millions to get back online.

They weren't even the target.
Their headquarters were in Saudi and it was a politically motivated attack.
They just happened to be connected via t'internet and were collateral damage.

I keep year end backups going back several years so would be able to recover fairly quickly from a major outage.

Not sure why M&S are taking so long to get up and running again.
____________________
Current bikes: Hondas - Forza 750, ST1100A

[that_impulse_guy]

out IT department got in bed with a cloudy backup type (no names will be mentioned) so we started to backup some pb to cloud-world and then did incrementals and so on, lovely.

In conversation, I asked "so how long would it take to restore 15Pb and how much would the fees be?"

we've now bought another diamondback for site2 and are managing backups ourselves again
____________________
Gone: Yamaha DT50lc, Suzuki DR500, Suzuki A100, Kawasaki z250ltd, RD350YPVS, Suzuki DR Big, Kawasaki AR125, Kawasaki KMX200, Suzuki GS1000S, Katana 1100, GS550M, Suzuki RGV250
Now: Suzuki GSX400X, Suzuki RF900R, NS400R

[panrider_uk]

Instead of the fluffy term "the cloud" I prefer "other people's computers"
____________________
Current bikes: Hondas - Forza 750, ST1100A

[Islander]

[Easy-X]

[Ste]

[Robby]

[Ste]

M&S have said that the attack used “social engineering”.

https://cybernews.com/news/marks-spencer-breach-tcs-third-party-vendor-social-engineering-attack/

They're not fixing stuff, they're "accelerating an overhaul of its technology over the next six months which had originally been due to take place over two years."

https://www.independent.co.uk/tech/marks-spencer-marks-spencer-harrods-sales-b2755217.html

[Islander]

[Islander]

[MarJay]

When I joined Sainsburys in the early 2000s, they were using a system for stock control called 'DISCO' which, as you can probably surmise from the name, had it's origins in the late 70s. So it wouldn't surprise me if M&S were running on an entirely Windows NT or server 2003 based infrastructure.
____________________
British beauty: Triumph Street Triple R; Loony stroker: KR1S; Track fun: GSXR750 L1; Commuter Missile: GSX-S1000F
Remember kids, bikes aren't like lego. You can't easily take a part from one bike and then fit it to another.

[Easy-X]