Security mindsets of very small businesses and residential clients

alexntg

@Carnival-Boy said:

Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

Well, you know, their password being broadcast on-air to everyone within a few miles of your user is up there in risk. Two-factor verification isn't quite the same as a password.

Carnival Boy

So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.

alexntg

@Carnival-Boy said:

So they're at risk from attackers physically located within a few miles of them, who know what to do with a random password, and know exactly when the SMS is being sent? This seems very low risk or am I missing something? I only send the password, there is no other information with it. It's not quite the same as two-factor verification, but I think it's similar.

There's still some risk. If someone's phone's being monitored, the person monitoring the phone would have some idea of who's it is. If someone's just absorbing all SMS traffic in a given area, it wouldn't have any particular meaning or value.

scottalanmiller

@Carnival-Boy said:

@JaredBusch said:

I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.

Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.

That is the case with any secure system though. If you have a compromise it doesn't matter if you used email, secure download, KeePass, etc. That doesn't make email any better or worse.

scottalanmiller

@Carnival-Boy said:

Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.

I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).

Very insecure. SMS I would definitely avoid. That's worse than sending it to their personal email.

scottalanmiller

@Carnival-Boy said:

Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?

That's the second factor only. That's purely "extra" security above and beyond existing security. The point there is to send a one time code side band. It's only useful if you can combine the two bands and only for a moment. It could be announced openly on the radio and not be any risk.

That Google uses it that way doesn't imply anything about it being safe.

scottalanmiller

The worst that can happen is that a password is compromised because of not following minimum security practices (by using internal email.). Using SMS would move the risk from "acceptable low security for ease of use" via email to "unacceptably low security that takes more effort" potentially.

And are you sending to locked down end points? My SMS messages display even when my phone is locked.

scottalanmiller

I've written a bit on the evils of SMS. Keep in mind that email is "user" security. SMS is "device" security. You are deciding to send that password to the physical holder of a device rather than to the account of a user. Changes a lot if things fundamentally beyond the security gap.

Carnival Boy

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Carnival Boy

@scottalanmiller said:

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.

Carnival Boy

And just to clarify, I didn't start this thread and have no dog in this fight. I don't fear e-mail. I'm just saying what I do, and am interested to hear what others do, and why.

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.

SMS shares every risk of email and is not a business tool. Users can forward, share, print or whatever the same as email. It is likely linked and forwarded automatically, many SMS are. SMS is personal moreso than email and treated more casually. SMS is linked to a device and not to a person - security implications are very different.

Business email is very secure. SMS is a security level lower than personal email, in nearly all cases. I would not use personal email, not SMS.

Internal email, even without good security, is pretty secure. SMS even with great effort is wide open.

If you want to split things, put the password in email and the account info in SMS. The password is the piece most needing protection.

technobabble

@Carnival-Boy I would say the best thing that comes out of posts like this is opinions and work flow others use.

I am not always right, and as the owner I would rather be a dictator when it comes to security, but as it has been pointed out, I could be hampering businesses from working which could cause the business to no longer need my services. I don't want to become the IT person that my clients always tells me about, the rude, obnoxious and overbearing person who points out all the stupid things people do in the office. I believe I will let my blog do that.

Also if O365 is much more secure, I am going to be pushing it a lot more.

JaredBusch

@technobabble said:

Also if O365 is much more secure, I am going to be pushing it a lot more.

Any exchange server can have opportunistic TLS enabled, just have to do it. If you use Postini/Google Apps, it is not turned on there by default, but is very easy to turn on.

alexntg

@Carnival-Boy said:

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

That's one of the many reasons that it's important for companies to have and enforce policies that prohibit employees from using their personal email for work purposes.

Carnival Boy

How do you enforce something like that?

JaredBusch

@Carnival-Boy said:

How do you enforce something like that?

You make it policy. If they are caught, then you discipline them per the policy.

Carnival Boy

@JaredBusch said:

. If they are caught, then you discipline them per the policy.

That's HR's function, I try not to get involved.

A Former User

just say no to residential clients there are a bagillion folks round here (college town) doing laptop repair for right next to nothing. little yard signs up everywhere. heck just say no to some tiny companies too