How to Be a Security Idiot
So, I was wading through all the garbage on digg today and came across Jim Rapoza's 12 Ways to Be a Security Idiot. It got me thinking about all of the dumb and insecure practices that I saw while I was working for the City of Tempe here in Arizona. Also, I'm having a bad day with Firefox 220.127.116.11 crashing every few minutes while I am trying to get some work done and figured this would lighten the mood a touch. Here is Jim's list and a few extras from us here at TSSCI. I encourage you all to post your 'How to Be a Security Idiot' stories. comments, etc.
- That stupid firewall thing is so annoying. Life is so much easier with it turned off.
- That big laptop harddrive is great, everything on there is important, but don't worry about encrypting the data because you'll never lose the laptop.
- Those Internet kiosks sure are handy eh? Let's access our bank accounts and company webmail systems. Hey, there's a long lost friend from school, let's go say hello. The next guy that comes along will surely log me out of my account being that the world is full of such trustworthy people right?
- You're response to questions about anti-virus is 'Of course. I use RightGuard.' Anyways, if you don't go to porn sites you can't catch viruses anyway =p
- Hrmm, looks like something's wrong with my Paypal account. Odd, this email they sent me doesn't look like the other's I've received. Microsoft removed spellcheck from Outlook and the message is in all capital letters. Let's login and see if we can't fix this.
- Woohoo! A Nigerian prince wants to give me a bunch of money and all I have to do is send him a few grand. Ha! Marcin and I had this happen before.
- Look, someone you've never heard of sent you an email that says 'Checkout this awesome game!'. Let's open it since everyone knows that a complete stranger would never do you any harm.
- My password is 'password' When I used to change it from 'password' I wrote it on my monitor so that I wouldn't forget it. When an application comes with a default password, it must be a good one if they felt the need to include it, so I just leave it alone. Also, my other favorite passwords include '1234', my birth date, my name, and my favorite color.
- Patches? There's no holes in the screens on my Windows. My TV doesn't require updates, why should my computer? Afterall, isn't a computer just a more intelligent television set?
- WoW! This site is full of advertising and strange letters at the end of the URL but golly! doesn't it have some cool software available for free to download. And what harm can a Scarlett Johansson screensave do.
- Wireless networks are so convenient. Nothing like checking my Wells Fargo account balance from my friendly neighborhood Starbucks. No reason for WEP/WPA or disabling file sharing without a password. My Linksys do-hicky has to be broadcasting this SSID stuff huh for it to work; afterall it is wireless right? Hey, that car sure has been parked out in front of my house for a long time.
- So, zerocool calls and wants my user information so he can login to my account and install some new software. Kevin's the IT guy but this zerocool dude seems to know what he's talking about. Go ahead zerocool, my username is idiot and my password is password.
- When I go on a smoke break or bathroom break I leave my system unlocked. No one at my company would ever do something malicious to my system.
- Nothing beats the convenience of removing the security code from my cellular phone. I've never had my phone lost or stolen so it's not necessary.
- I care soooo much about my system's uptime, so I haven't rebooted to apply a patch since the 2.4 kernel was released. But hey, all my friends on IRC think I'm sooo cool because my system's been up since 1999.
- Aren't those 'Get a free Ip0d SiT3s' great? Just give them all your personal information and then wait for the UPS guy. No, for real, it's not a scam.
- Bots!? The only bot I have to worry about screwing something up is my Roomba harassing the family dog.
- Those 'Remember me on this computer' checkboxes are just so convenient. 'If you're not James, click here'. Well, I'm not James but I wonder if there's anything cool in here. Let me check quick.
- Our IT guy is sooo sick of answering tickets in Remedy that he emailed everyone the admin passwords so we could login to the local machine and change things ourselves.
- Cops have a sense of humor right? I've never seen so many Flash videos with malicious code in them as I did doing data migration for the police department. Why does everyone need the 'You Don't Know Jack Schiddt' video anyway?
- You forgot the guy's password in the cube next to you and can't find his Post-It note under his keyboard? Just call the helpdesk, give them the username, and they'll reset it to 'water'. No need for a callback or anything like that, that stuff's not for government offices anyway.
- Redact with Confidence. Make sure you draw black boxes over your PDF files and then distribute them like that. No one in a million years would think to CTRL+A and copy/paste into a text editor. Also, using the highlight feature in Word is really good for redacting right? Just highlight in black and no one can ever see the text.