A better WannaCry advisory for schools

Sun, 14 May 2017 19:21:02 +1200

The Ministry of Education sent out a very poor advisory to schools about “WannaCry” today, based primarily (from what it seems) on the poor information coming from CERT-NZ. The advisory contains several factual errors, which the Ministry should not be spreading to schools. I’ve written an improved advisory (I’ll update it as required).

(An improved version of an) Urgent message from the Ministry of Education

The weekend media reported on a virus called WannaCry (also WannaCrypt, WanaCrypt0r, WCrypt, and WCRY) that infected many computer systems around the world over the last few days, including very prominent organisations such as the NHS in the UK. It appears that few infections have occured in New Zealand, but it is possible that your school may have been, or may be, at risk. We are writing to let you know what you should do, and what we are doing to protect schools.

Why "3 tries and you're locked" weakens security

Tue, 03 May 2011 20:04:11 +1200

Some organisations have a security policy that after three failed authentication attempts an account is locked (requiring manual unlocking by an IT support person) - the goal is to strengthen security, but this actually decreases the security of the organisation. The intent of a policy like this is to prevent brute-force attacks - if you’re limited to three attempts per account before intervention by a human is required, then brute-forcing an account is no longer practical. However, there are better ways of preventing a brute-force attack, for example:

Security on Tony Andrew Meyer

A better WannaCry advisory for schools

(An improved version of an) Urgent message from the Ministry of Education

Why "3 tries and you're locked" *weakens* security

Why "3 tries and you're locked" weakens security