Twitter broke a very interesting story this week about a hacker who bulk-harvested account details by installing backdoors in a popular torrent hosting solution.  Users registered for a valid service, and received value in return, but all the while, their details were being stolen.

This would be a pretty boring phish, except for the part where users re-use passwords and account names ALL THE TIME.  The current trend is upsell — harvest a low-value throwaway password at an insecure site and then see what high value matches can be made with the same username and password.

Identity Theft via phishing used to be a consumer identity problem, but Cloud services and extranets have changed that.  There is now a new game in town:  commercial phishing.  If your enterprise users are uninformed enough to use their work email and a standard, muscle-memory-password at a site like a torrent site, attackers now have a growing list of possible commercial candidates for that account.  Of course there is always the chance that the worst case scenario will happen and an attacker will harvest your entire Enterprise Directory.   You may say, my company is obscure, what use would hacking my company be?   Well, if you use outlook web access,  and your AD password is phished, and your accountant uses his/her work email address for password recovery on your corporate banking site, there is a path for an attacker to get at your organization’s money from the internet.

I think it’s hysterical that a company will spend all sorts of money for education of their workforce around physical safety and nothing on account safety.  Why is there not a brightly colored data safety reminder on  every floor, something to idly inspect while you’re waiting for the elevator?  As much as you scoff at the idea, the very prosaic advice that this fire poster offers DOES help in muscle-memory situations.  The strategy of setting out simple rules and making them highly visible does work.

Not only does a sign like this not exist for account safety, I don’t even think that there is agreed-upon text to go on it.  No wonder we’re in the state we’re in.