
Pen Testing Ships. A year in review - omnibrain
https://www.pentestpartners.com/security-blog/pen-testing-ships-a-year-in-review/
======
krisoft
"password re-use across an environment is endemic..." What is the solution
against this? I just can't identify with the "D’OH!". People want to get their
work done. They will use whatever gets the job done. If there is an easier,
better way they will use that. So how can we provide them systems where the
easier, better way is also safer? What is the current best practice in this
area?

~~~
seer
I would love to know this as well. The rise of 2FA has made everything more
secure for sure, but it has made usability plummet like a rock on Jupiter.
Especially in a corporate environment where you have multiple layers of
tokens, authenticators and passwords.

Password managers do help, but you still need to click and enter and copy
paste many many times a day.

If only someone like apple / microsoft / google came up with a comprehensive
solution to all this - as they seem to be the only entities big enough to
shoulder such a monumental task.

I mean Apple sorta kinda does, but only for its own services. I have an apple
watch, it knows that its me and its authenticated. The proximity with my
laptop unlocks it automatically - so far so good, but why can’t I use the same
thing for github/google/microsoft websites? Why can’t safari send some sort of
token through to then authenticating that its me? I mean if you’re afraid it
might be someone else at the computer - _check the damn watch proximity
again_! And if there’s a need for personas - sure but they are all still
linked to me. I would imagine there could be like a system dialog where I
choose which persona to send to a specific site/app. /rant

~~~
briffle
I can't imagine 2FA on something like a ship at sea, that may or may not have
a working uplink to high latency satellite internet, and probably not SMS that
many 2FA providers use.

~~~
rkangel
Which is why your second factor would be a physical key, authenticated
locally. 2FA doesn't have to require internet access, it just needs two
factors!

------
ropiwqefjnpoa
The cruise booking hacks caught my attention...

In any case, I still find myself removing sticky notes on monitors with
passwords. One time, I caught them mass producing login credentials on avery
label sheets. I nearly lost it on the poor reception staff.

~~~
frandroid
I used to keep a fake password sticky on my monitor to make people like you
lose it. :)

~~~
yjftsjthsd-h
It would take some work, but I'd really love to have a password that, if
entered, would trigger an alert (and maybe power off the machine or
something). Then put that booby-trapped password on a bit of paper and stick
it under your keyboard or wherever.

~~~
jdsnape
There’s a company that makes exactly this -
[https://canary.tools/](https://canary.tools/)

------
RyJones
One of the competitions in Hack the Machine[0] brings in a copy of the setup
of the bridge[1] of a ship and you're allowed to attack in a lot of ways. It
was impressive.

[0] [https://www.hackthemachine.ai](https://www.hackthemachine.ai)

[1]
[https://www.hackthemachine.ai/track1/](https://www.hackthemachine.ai/track1/)

------
cbsks
Stupid question: What are "OT" and "IT" in this context?

~~~
cbsks
Answered my own question:

Information Technology (IT): “The entire spectrum of technologies for
information processing, including software, hardware, communications
technologies and related services. In general, IT does not include embedded
technologies that do not generate data for enterprise use.”

Operational Technology (OT): “Is hardware and software that detects or causes
a change through the direct monitoring and/or control of physical devices,
processes and events in the enterprise.”

[https://www.globalsign.com/en/blog/it-vs-ot-industrial-
inter...](https://www.globalsign.com/en/blog/it-vs-ot-industrial-internet)

So basically OT is IoT and embedded devices, and IT is everything else on your
network.

~~~
csours
Yes, think of OT as the device that connects sensors to actions: When this
limit switch is tripped, that servo is activated. You may also want to know
how many times each switch is activated, and the status of the servo, so the
information gets sent over to IT for logging and display in a HMI.

