According to an employee with knowledge of the system, the password to the Louvre's video surveillance system was simply "Louvre" at the time of the robbery last month.
I once read an interview with a white hat hacker. He said that people expect him to try to remotely connect to their network and try to brute force his way in. The first thing he actually does is put on a suit, visit the company’s headquarters, walk in the front door, start a conversation with the receptionist, and see how far he can get.
I’ve done exactly that, worked as a Red Team Lead, and the success rate is pretty disturbing. That, and vishing - calling people from the company you find on Linkedin from a spoofed number of their IT that they fucked something up and need to download and run this .exe to fix it before The Audit that’s currently happening notices it.
Even if we do internal infrastructure tests where they let you in, switch AVs to “detect mode” instead of “block mode” and the goal is to find as many unpatched systems/vulnerabilities as you can (instead of, well, testing the AV solution), what we usually do is run a password spray for all domain accounts with a combinations (you can try like 3 to not lock the accounts) of “<month><year><companyname>” we every single time got at least few accounts.
Fortunately this kind of tests are getting more popular, and passwords such as this should’ve definitely been caught in some kind of security test. But it is also pretty depressing, when you repeat the same test next year, and 80% of the passwords are still the same, and vulnerabilities are still not patched.
I once read an interview with a white hat hacker. He said that people expect him to try to remotely connect to their network and try to brute force his way in. The first thing he actually does is put on a suit, visit the company’s headquarters, walk in the front door, start a conversation with the receptionist, and see how far he can get.
I’ve done exactly that, worked as a Red Team Lead, and the success rate is pretty disturbing. That, and vishing - calling people from the company you find on Linkedin from a spoofed number of their IT that they fucked something up and need to download and run this .exe to fix it before The Audit that’s currently happening notices it.
Even if we do internal infrastructure tests where they let you in, switch AVs to “detect mode” instead of “block mode” and the goal is to find as many unpatched systems/vulnerabilities as you can (instead of, well, testing the AV solution), what we usually do is run a password spray for all domain accounts with a combinations (you can try like 3 to not lock the accounts) of “<month><year><companyname>” we every single time got at least few accounts.
Fortunately this kind of tests are getting more popular, and passwords such as this should’ve definitely been caught in some kind of security test. But it is also pretty depressing, when you repeat the same test next year, and 80% of the passwords are still the same, and vulnerabilities are still not patched.