Valid logins to your workplace are on the net, right now

[steven36]

Mega-breaches and spiking smartphones malware mean crims can crack you, yesterday

 

 

Enterprises are almost universally open to intrusion attempts with stolen credentials, and are at increased risk from compromised smartphones thanks to a spike in device malware.

 

The findings stem from two separate studies. Digital Shadows research [PDF] reveals 97 percent of the Fortune top 1000 largest companies face potential compromise from any of an average of 760 credentials published to the web.

 

It is not stated how many of those are valid logins, however the company omitted consumer email domain addresses focusing on corporate addresses.

 

The credentials come from a pool of five million unique email and password combinations in data breach dumps from the likes of MySpace and LinkedIn, of which half a million are duplicates.

 

Organisations in the broadcast, telco, and computer services sectors were far more exposed than any other, dwarfing healthcare and pharmaceutical, industrial goods, and financial services.

 

Nokia in a separate report [PDF] finds one out of 120 smartphones is infected with some form of malware, a 96 percent hike over the first half of this year compared to the same period in 2015.

 

That represents a perhaps unseen threat to organisations who allow executives and staff to connect mobiles to corporate networks, potentially bypassing harder perimeter controls.

 

Compromised phones accounted for 78 percent of all infection traffic across the studied mobile networks, with the remainder stemming from infected Windows machines using tethered or dongle-driven internet connections.

 

Most of the infected phones were Android phones. Most phones running the Google operating system operate on Lollipop version five and the highly vulnerable KitKat version 4.4.

 

Source:

http://www.theregister.co.uk/2016/09/23/biggest_enterprises_have_hundreds_of_stolen_creds_dumped_on_net_report/

 

[straycat19]

I can't speak for all enterprise level systems, but you could have a valid login for our system and still would not be able to login because all logins from outside require the use of an RSA one time use token that is provided by an RSA key device issued to all our users who are authorized to access the network from outside.  Phones/tablets cannot access the same network but are logged on to a separate wireless system which is separate from the primary network and only provides internet access and does not provide access to any data or email.  If you want security you can have it with a little work and don't have to worry about social engineered or phishing attacks.  Businesses or any other entity that allows unfettered access to its system from anywhere for the 'convenience' of its employees are asking to be breached, hacked, or compromised in some way.

[steven36]

Scientists cracked RSA SecurID 800 tokens back in 2012 even software that's protected with RSA  can easily  be cracked by patching the public key .

 

After NSA Backdoors, Security Experts Leave RSA for a Conference They Can Trust

https://www.eff.org/deeplinks/2014/01/after-nsa-backdoors-security-experts-leave-rsa-conference-they-can-trust

I dont even trust AES 256bit encryption not too be backdoored but RSA come on lol

[Holmes]

I have to agree no matter how secure your company is stray or you think it is everything has a vulnerability somewhere someone made a mistake your working with a false sense of security.

[straycat19]

13 hours ago, steven36 said:

I dont even trust AES 256bit encryption not too be backdoored but RSA come on lol

 

12 hours ago, Holmes said:

I have to agree no matter how secure your company is stray or you think it is everything has a vulnerability somewhere someone made a mistake your working with a false sense of security.

 

You believe everything you read?  We use 1024bit and 2048bit encryption.  We don't use RSA SecurID 800 tokens, ours are not a commercial product.  I don't work for a company per se, might be better classified as an organization or entity.  I have never worked for a company.

[steven36]

42 minutes ago, straycat19 said:

We don't use RSA SecurID 800 tokens, ours are not a commercial product.  I don't work for a company per se, might be better classified as an organization or entity.  I have never worked for a company.

Only RSA should be used as a extra layer  of security  like  with my VPN   I  use AES-256 / SHA256 / RSA-4096 as far as RSA  alone it can be brute forced  the say with a quantum computer it can be broke..

 

You claim you're immune to being hacked when NSA and the White House  got hacked , Any one that thinks they can't be hacked is wrong and are letting there guard down. pride becomes before a fall.   

 

 

[Holmes]

For your information saying organization is a fancy way of saying company its all entitlement bullshit (organization is a synonym for company).  Like I said before you made it sound like your organization is hack proof and nothing is you could saying hacking your organization would be harder thats it.