Internet security

[Tessian]

Where I work we have a bunch of guys that can't install software on their PC's so web based AIM works perfect in that situation. There are already other choices, but having it integrated into Gmail makes it less suspicious to their supervisors!

You know that's on purpose right, that they can't install software? Because the company doesn't want them a) fucking up the PC and b) installing/using any unauthorized software. Just cause it's a web app doesn't mean it's allowed.

Thanks to this I'm probably going to have to block company access to Gmail once we finally put an central IM management solution in place.

[SineSwiper]

Tessian, you're the reason why everybody hates IT.

[Zeus]

Tessian, you're the reason why everybody hates IT.

You can't allow IM in an office if you expect to get more than 60% productivity on a regular basis. I know they don't take up much in terms of bandwidth, but what if you have thousands of people on a server like you do in my company? You just can't have it

[Shellie]

The policy is mostly in place because of people from non-technical departments fucking up their computers downloading crap.

It was allowed at one point, but as managers change, so do policies. Now browsing is allowed as long as they aren't on a call. And their calls are monitored with screen recordings, so they know if they are on a website or chat while on a call. Most supervisors look the other way if they see someone on AIM when they aren't on a call. Some frown on it, depending on who you are.

And it actually does help them in some cases. Everyone else in the company, sups, managers, etc are on AIM and instead of techs getting up walking around looking for someone to ask a question, they just IM them.

The company just implemented some internal IM program(forgot the name of it) on our own chat server. It's really only used by the non-technical people and their supervisors. They use it to communicate back and forth between the supervisors, leads, and csrs.

[SineSwiper]

Spark. It seems to break a few XMPP standards, but otherwise it's compatible with Pigdin. Most of the company use the standard client, but those of us who have AIM contacts use a multi-client like Pidgin or just stick with AIM. (If they had implemented 5 years sooner, like we've been telling them, we wouldn't have this problem with a IM-protocol separation.)

[Tessian]

Tessian, you're the reason why everybody hates IT.

I'm the reason you have all those freedoms at work. If it weren't for my profession company's would have no choice but to disconnect their internal networks from the internet because half their work force would infect and destroy the other half within a month.

You want all those cool gadgets and online apps? You need an Information Security Analyst to make sure it doesn't end up frying your computer and all your work.

Public IM is currently the #1 cause of data leakage and computer compromises (viruses, trojans, etc) within a company. Pretty much everyone's locked down email by tossing a spam filter in front-- public IM services are the next big thing that most companies ignore or just forbid.

I'm currently working on an IM management implementation in our company. 98% of public IM traffic we have is all for internal communication. OpenFire is what we're most likely going with (it's the server that Spark was designed for) but we're still testing. It's not easy to keep a company secure especially when dispshit employees like Sine think we're the enemy and still manage to get yourself compromised.

Are you the same kind of employee that "demands" to be allowed to use Skype?

[Flip]

AOL doesnt block shit and encourages the use of AIM. As an Internet company (that a lot of people dont have love for) you know they are attacked all the time and yet there has never been a major security issue.

If you feel like you need to block e-mail and chats, maybe your department sucks?

[SineSwiper]

In the six years or so that I've worked with AIM clients at my job, I've maybe received one batch of the same message at one time. Just that one time, that's it. It wasn't even a real virus. It was just thing that would broadcast the same message to your AIM list if you clicked on it. (Of course, I didn't click on it at all.)

If you're having such a problem with viruses, you need to:

A. Lock down admin access on your PCs.
B. Get a decent virus/spam scanner in your e-mail server. If you're not an ISP, you can afford to be a little overzealous about blocking shit. (We're an ISP, so we need a multi-million dollar email platform.)
C. Get a virus scanner that updates constantly on every PC.

That's about it. You don't need to worry about IM. If you're worried about IM viruses, the PC virus scanner will take care of it.

Hell, the worst viruses we've had inside the corporate network were due to security holes in WinVNC, not IM. (Since then, they've ditched WinVNC in favor of LANDesk.)

[Tessian]

Viruses are actually the least of your worries with public IM-- and a Zero Day virus spread over one of AIM's many vulnerabilities is not going to be caught by whatever AV you have right off the bat.

The biggest problem is information leaking and just bad security practice in general. Having employees using public IM is the same as having everyone use Gmail instead of a corporate mail server... actually that would be better as Gmail is at least encrypted. Public IM is totally unencrypted and there are no controls over what content leaves your company. Why are all my employees' messages leaving the network to talk to one another? Information security isn't just about stopping viruses.

If there's a business need we can easily allow both internal and an external; but it's such a needless risk to have employees talking over the internet when they can just as easily stay inside my network.

[Tessian]

AOL doesnt block shit and encourages the use of AIM. As an Internet company (that a lot of people dont have love for) you know they are attacked all the time and yet there has never been a major security issue.

If you feel like you need to block e-mail and chats, maybe your department sucks?

No one said anything about blocking it... but just like email, chat has to be filtered and logged and protected.

[Lox]

If there's a business need we can easily allow both internal and an external; but it's such a needless risk to have employees talking over the internet when they can just as easily stay inside my network.

I understand what you're saying. Depending on what you do in your business, this could be a big deal. At UPS, we use Windows Messenger within our Intranet for employee-to-employee communication because it never gets out into the public Internet. We have a lot of proprietary products that we would never want someone else to get ahold of. When we're talking to someone else in the company across the WAN, I'm not totally sure what technology we're using, but I know it's not hitting the public Internet unsecured.

Heck, I had a professor in my grad school courses who would talk to us about sniffing traffic because it's so freaking easy to do.

So, don't worry, Tess. I get ya.

[Andrew, Killer Bee]

No one said anything about blocking it... but just like email, chat has to be filtered and logged and protected.

Zeus is arguing for IM to be blocked, and I agree with Flip on this. Having access to IM programs does not kill productivity; people kill productivity!

Seriously though, if allowing IM is going to cause your productivity to drop 60%, your company has a very, very unhealthy culture.

[Tessian]

If there's a business need we can easily allow both internal and an external; but it's such a needless risk to have employees talking over the internet when they can just as easily stay inside my network.

I understand what you're saying. Depending on what you do in your business, this could be a big deal. At UPS, we use Windows Messenger within our Intranet for employee-to-employee communication because it never gets out into the public Internet. We have a lot of proprietary products that we would never want someone else to get ahold of. When we're talking to someone else in the company across the WAN, I'm not totally sure what technology we're using, but I know it's not hitting the public Internet unsecured.

Heck, I had a professor in my grad school courses who would talk to us about sniffing traffic because it's so freaking easy to do.

So, don't worry, Tess. I get ya.

Thanks Lox I'm not daunted anyway... in 10 years I'll be making way over 6 figures so they can keep bitching

You're probably using a DNS redirect to point MSN Messenger to an internal server. It's then smart enough to know to let people who connect to it to keep the traffic local, and IM traffic that isn't goes out to the internet (if allowed). I evaled a product kinda like that called Akonix. Facetime is another that does it... I didn't remember them being able to keep public IM internal but it's not hard to keep track of. You also might actually be using Microsoft Live Communicator and not knowing it... that's all internal.

[SineSwiper]

Unless you're working for the CIA or a military contractor, you don't need an absolute lockdown on your Internet connection. You do realize that anybody can e-mail corporate information outside the web to somewhere else.

If you're this paranoid about something leaking out, you should be focusing your efforts on HUMAN security, not INTERNET security! Make sure that your employees know the security policies against personal and corporate information, etc. Tell them that passwords should not be broadcast on public IM channels, or any other private info.

If you're worried about man-in-the-middle attacks from the outside to inside, encourage VPN use for laptops. It's simple: if you need access to the private corporate internet, you will need to use the VPN. The VPN is encrypted, so no problems with anything you send through.

I'm not against a corporate IM system. It's a good idea. But don't start blocking shit left and right (including Gmail) just because you're paranoid about your own employees. You work for the employees. They are your customers. The less powertripping you do in an IT position, the more they will listen to your advice about security.

Oh, yeah, my biggest pet peeve about security: a complicated set of password restrictions makes the password LESS secure, not more! Just letters+numbers and at least 8 characters. That's it! You start piling on all of these different restrictions, and they will start to write their password down or use some easy-to-figure-out pattern. I prefer "hold shift" passwords with leet speak, like: C)RP)rati0n.

[Andrew, Killer Bee]

Oh, yeah, my biggest pet peeve about security: a complicated set of password restrictions makes the password LESS secure, not more!

Haha, yep. Ditto regularly rotating passwords, ugh.

[Kupek]

I have some accounts on DOE machines through my advisor's grants, and I can never remember the fucking password if I go more than a month from using the account. I have no clue what it is now, I'd have to call them and get it reset if I wanted to use one of those machines. I get the <a href="http://www.nersc.gov/nusers/accounts/ma ... d.php">the first two restrictions</a>, but that third one? Having a number (and Jesus, couldn't they just say "don't use a number," instead of "must contain non-numeric letter or sysmbol"?) in the first and last positions doesn't make a password any less secure. If anything, that makes it easier to guess.

[Lox]

You also might actually be using Microsoft Live Communicator and not knowing it... that's all internal.

I think I meant Live Communicator. haha

You do realize that anybody can e-mail corporate information outside the web to somewhere else.

Well, duh! The point of the internal IM isn't to stop that. I agree, that's a policy and training issue. You can't stop willful leaking of info unless you have some crazy security like the CIA.

For us, an internal IM does exactly what we need. Why do we need IM over the Internet or to talk with people outside of the company? It's unnecessary so it makes sense to make it internal.

Everyone except interns has access to the Internet though and we are just blocked from certain pages based on content or security concerns.

[SineSwiper]

For us, an internal IM does exactly what we need. Why do we need IM over the Internet or to talk with people outside of the company? It's unnecessary so it makes sense to make it internal.

Everyone except interns has access to the Internet though and we are just blocked from certain pages based on content or security concerns.

Plenty of reasons. Some of our vendors use AIM, so that we can contact them quickly about issues, or during times when you need a better response time than email. Hell, AT&T didn't want to communicate passwords in any medium except an encrypted P2P AIM channel.

What if you just want to talk to your wife during work? Is that so wrong? After all, if you're really busy, you can just tell her that and talk later. I don't surf at work, but I still chat with Shellie every day. During 2nd and 3rd shift, when it's really boring, I did surf at work. It's not lowering productivity; it's just passing through the calms before the storm faster. There's nothing more boring than not having anything to do.

I just think that there's no reason to be so hardcore at keeping employees from fucking off every once in a while. Not all jobs are 100% work all the time. If they can't surf or IM, they'll bring a book. If they can't bring a book, they'll read a newspaper. If they can't read a newspaper, they'll just gossip to each other.

Preventing them from installing shit on the PC, yeah, I can agree with that, but leave them alone after that.

I have some accounts on DOE machines through my advisor's grants, and I can never remember the fucking password if I go more than a month from using the account. I have no clue what it is now, I'd have to call them and get it reset if I wanted to use one of those machines. I get the the first two restrictions, but that third one? Having a number (and Jesus, couldn't they just say "don't use a number," instead of "must contain non-numeric letter or sysmbol"?) in the first and last positions doesn't make a password any less secure. If anything, that makes it easier to guess.

That's not too bad. The "symbol within the first seven" is a bit much, but doable. That password above will work, C)RP)rat10n or KUP#K'sgr4nts.

Try this type of rule: "Your new password cannot contain a letter in the same place as your previous six passwords." This is for access to our billing system. What do they usually do to counter this?

asdfghjk1
sdfghjkl2
zxcvbnm3
wertyuio4
etc.

Yeah, that's a really secure password now. Thanks a lot, assholes!

[Lox]

Plenty of reasons. Some of our vendors use AIM, so that we can contact them quickly about issues, or during times when you need a better response time than email. Hell, AT&T didn't want to communicate passwords in any medium except an encrypted P2P AIM channel.

What if you just want to talk to your wife during work? Is that so wrong? After all, if you're really busy, you can just tell her that and talk later. I don't surf at work, but I still chat with Shellie every day. During 2nd and 3rd shift, when it's really boring, I did surf at work. It's not lowering productivity; it's just passing through the calms before the storm faster. There's nothing more boring than not having anything to do.

You misunderstood what I meant...when I said "why do we need IM over the Internet...?" I was specifically referring to UPS. I wasn't trying to make a broad generalization that no company needs it. I'm sure that there are valid uses, but those should still be managed in some form. My point was that there shouldn't be open access without reason. In our case, there is no reason, so internal IM is perfect.

As for the passwords...that's a bit much. haha Ours is set up so that you can't use the same one in the past 24 months. I guarantee it doesn't make them any more secure because everyone just increments the # portion of theirs by 1 each month anyways. And it's annoying.

[Kupek]

That's not too bad. The "symbol within the first seven" is a bit much, but doable. That password above will work, C)RP)rat10n or KUP#K'sgr4nts.

While I was pointing out adhering to that rule is a pain in the ass, I was mainly questioning the security benefits.

[Tessian]

Password policies can get out of hand... I don't even like what PCI requires you to do on Active Directory but it's AD's fault... Password Complexity is needed but definitely goes overboard. Our requirements are... 8 characters min, change it every 30 days, can't use past 10, must use for at least 5 days. Then there's password complexity which requires at least 3 of the 4: 1 letter, 1 number, upper/lower case, and a symbol. Luckily in Windows 2008 I believe AD will let you be more granular since PCI doesn't even require this much but it's either that or no restrictions.

Another component of all this is the need for a good, reliable password recovery/reset system. We ended up using something called myPassword which allows you to go to a web interface and answer your "security questions" which are gay, but not nearly as gay as what online banks make you do these days with pictures and phrases.

Also remember that pretty much no security measure is fool proof or uncircumventable... most controls are in place to make it too difficult to bother circumventing or carry a price if caught. Most security is useless if the people it's meant to protect don't want to help