Slashdot Mirror
The IT Department as Corporate Snoop?
coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."
1/3rd of IT professionals poke through other employee's files? What are the other 2/3rds up to all day long?
Never hire an IT guy who couldn't pass the BOFH test.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Would it?
A Good Troll is better than a Bad Human.
I've been hosting http://www.encyclopediadramatica.com/ through my old job. They're going under and the server is falling apart.
"The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job,"
This is kind of funny, When the layoffs hit back in 2001 I know of lots of instances where this happened. They lay off the IT staff and expect the systems to magically run them selfs, or expect the janitor to be able to run it all.
But to see that today is a little of a surprise. Maybe they have not hired new IT staff and the equipment is just running on autopilot.
All the more reason to put make sure nobody else is snooping on you before you install your backdoor program!
Convert FLACs to a portable format with FlacSquisher
Well, that could explain what the editors do with their time...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Like in government (cough cough cough), powers should be divided amongst a number of people i.e. hardware admins, web server admins, database admins, 'maintenance admins', et cetera. But for the majority of places this could easily be too many people. Of course, this is pretty impractical too, and I for one know most admins don't like having obstacles; but after all that's the root of the problem at hand.
Some people are blockheads.
News at 11.
A Human Right
The last thing I want to do after spending 8 hours on my company's network is spend my personal time trying to get back onto my company's network.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
They even sell the T-shirt.
Weaselmancer
rediculous.
In the mid 90's, I switched employers. My former employer was a fairly large medical / toxicology (drug testing) laboratory, and the records were fully searchable by name, SS#, and so on. Around this time, I got a new PC, and left the old one pretty much untouched for several years. About five years later, I fired it up out of curiosity. The terminal emulator shortcut was still there, so I plugged in the modem and was on the laboratory's network within minutes. Full access.
The company has since been bought out and shut down, but that incident has always bugged me.
Best Windows Freeware
accessing old work system is true i think... i know i still have access to places i setup 7 years ago, i login once a year to look at the up time on the system. it's nothing more then me checking on how my creation is going, if i saw a problem i'd probably report it to my old boss with a suggested fix.
by the way, it's linux 2.4... 7 years up time on old salvaged hardware.
If you mod me down, I will become more powerful than you can imagine....
"it wasn't corporate policy to allow IT workers to access systems after termination" LOL My organization is implementing RSA two factor authentication http://www.rsa.com/node.aspx?id=1156 to ensure that network admins can't get access once they leave the company. Without controls like this you just need one digruntled admin to cause you some big headaches.
"The survey found that more than one-third of IT professionals admit..."
I find that hard to believe.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
It's just my opinion but I'm sure many will agree with me on that. In every case where a person has privileged access to information as part of their job, there is usually some sort of ethical standard of non-disclosure in place. As an IT manager, I thrust my ethics upon people on a regular basis citing that I do not EVER want to know anything I don't need to know. Usually, it's passwords, but wouldn't that just be the start?
I can't imagine how anyone could consider themselves "professional" without professional standards of behavior to go along with it. Do professionals in all fields get tempted "by the dark side?" Oh yeah... we see it on the news every day.
But at a rate of 33% of IT professionals breeching company trust? That's pretty frightening... it's probably untrue.
Your company should have a published policy regarding user privacy and IT, and all members of IT should abide by that policy at all times. (In our case, for files or email, we require the approval of the user themselves or of a department manager and human resources before we go off reading your stuff. We do reserve the right to monitor network traffic at any time, for any reason, but we also make sure your email access runs encrypted over the network...)
In any case, please encourage your local IT Professionals to behave like Professionals. How should they behave, you ask?
Like THIS.
Anyone who doesn't lock the accounts of ex-root-access employees and change the shared passwords that they had access to is lazy and negligent, bordering on criminally negligent. That's just inexcuseable...
From my perspective, this is true enough. There are places that I still have access to that, by all rights, I shouldn't. I log in about once a year to see if I still have access, and if I do, I email the owner/manager of the place to that effect. Last thing I want is for something to go legal and me have a finger in the pie.
Of course, for a few places around here, me still having access is a good thing. Seeing how they call me about once a week because they couldn't follow well laid out documentation on managing the system...but I digress.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
It's almost impossible not to occasionally catch sight of something sensitive when you work in IT; Employee databases, email folders/logs, web browser histories, chat logs etc etc.
More than any other reason, this is why your IT team should be well paid and why duties should be segregated.
Course there should be documented exit procedures for HR and IT when people leave.
Deleted
The Air Canada vs. Westjet case involved computer espionage and a former employee who kept access to Air Canada's computer system. The result cost Westjet millions. The settlement left no doubt that what Westjet and its employees did was illegal. Illegal, as in someone could end up in jail, that kind of illegal. http://www.lockergnome.com/nexus/news/2006/05/29/w estjet-accepts-blame-settles-with-air-canada-in-es pionage-case/
I had a supervisor at one company pop up in my cube saying that I was wasting company time by looking at Amazon (which was up on my web browser) and threaten to write me up. With breakfast burrito in hand, I told him I was on my break and to bugger off as I was within policy. After that, I browsed the Internet on my PDA by going through the open wireless access point for the company next door. The virtual keyboard was a pain in the butt for Slashdot posts. :P
almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago.
That's absolutely meaningless, and including that as a 'result' means that the pollsters are either ignorant or deceptive.
I bet 95% of slashdot readers know a homosexual. What does that say about the frequency of homosexuality? Pretty much nothing. There's overlap (two responders thinking of the same person) and selection bias (25% know of one case of a terminated employee with access... that might be out of a hundred terminations where rights were appropriately revoked).
I always found that sysadmins (myself included) tend to acquire keys whenever possible. I don't care if it's just a broom closet, I want to know what's in there. There's a mix of paranoia, extreme curiosity, and helpfulness that come with the profile.
And doing someting bad with it are 2 different things.
---- Booth was a patriot ----
I'm skeptical about the snooping (much as I bitch about admins, they're actually remarkably ethical about privacy given the access they have, IME) but that password thing sounds dead on. Whenever they give us the lecture about how keeping track of the login/password combos for 25 different accounts, each rotated every 60-90 days, with mandatory mixed case, numbers and punctuation is easy -- why all you do is make up a little story -- "Mary went to the store to buy milk" becomes h7^Y8U0bs# -- I always ask them for the story to their previous password to the office furniture request page. They splutter about how no, that's a security risk to part with one of their expired stories but I can see the Post-It with the root password in their minds, like I'm Professor Snape.
What I'm listening to now on Pandora...
I like to think of myself as a Telegraph Operator. Sure I know peoples secrets, but it would be unprofessional for me to tell them to anyone.
Two separate problems here.
Some people are just scum. There are too many of these people in any group.
Some people need rudimentary ethics education. These are the interesting ones.
It's hard to imagine that people just don't think about ethics, but from what I've seen, much of the problem is exactly that. I've seen people who act badly but later with a little education, they actually work hard to behave well. Working with High School students and junior IT staff I found them ethically naive (to be generous) but remarkably amenable to argument and explanation on the ethical problems we face.
I really don't think much of human nature so I'm not surprised much by simple dishonesty, but working with a few of these kids, I was surprised at how well they learned to behave. Of course, some folks just acted badly anyway. Some people are just born sh*ts.
While I believe the quoted (>1/3) figure, I also think that with just a little effort, those of us who are professionals can improve it substantially. Listen to your cow-orkers. Their stories will probably illuminate their attitude.
The other thing that I find interesting is that it is easier to identify the ethically naive than the fundamentally dishonest. That's why those personal stories are so telling.
Assembly is the reverse of disassembly.
Maybe this explains how so many Ameritrade customers are getting spammed with pump-and-dump stock spams... An ex-employee (or hell, even a current employee) could be pocketing quite a bit by selling off their email addresses. This is assuming, of course, that the company isn't doing this itself.
Slashdot's first reaction to VMware
Which means 2/3rds of IT professionals don't familiarize themselves with the systems they're running.
If you're in IT, and you're an administrator, the company must be able to trust you with ALL DATA! That means ALL FUCKING DATA, not what the top people just think you should or shouldn't be familiar with. If your company is shit and fucks people over daily, IT will know, and IT Will find another job and leave you with some shitty guy who can't even turn a machine on doing your work. Then you get targeted, taken down, and goodbye and good riddance company.
The only alarming thing is that the asshats at the top who give life to the term "shit flows down hill" think "oh shit, my pants are down, my hand is in the cookie jar and I'm going to get caught".
In the security business, a lot of the danger from IT employees comes from a class of attack known as "abuse of authority." It's near-impossible to prevent through technical measures, since the people in question need the elevated privileges in order to do their jobs. A careful program of auditing can often detect these abuses after they've occurred, however.
I had a situation occur a few years ago in which I had to fire a trusted and valuable staff member for snooping through a senior manager's email. Another staff member actually detected this when he printed a copy of the email, and it came out of the printer in his home office even though he was on travel. This came to my attention very quickly, and we reviewed audit logs that we'd put in place earlier and found plenty of evidence of his snooping. It pained me to fire the guy--he was smart, ambitious, and held up really well under pressure. But in the end, I concluded that a slap on the wrist would just send the message to other team members that it was OK to cheat until caught for the first time. I suspect that it was the right move for him, too; our sudden, decisive response to his lapse in judgment doubtless made an impression.
So, some advice to IT managers: ensure that there's an audit trail for all privileged activity. You'll detect and stop abuse if it's going in, and will deter staffers from being tempted to misuse their rights.
Phil
There was something called integrity. I don't think there is as much of a focus on it anymore as there should be. The focus has shifted into mostly monetary interest; on both the part of the employee and the employer.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Not only should the article written by the firm specializing in password security be taken with some salt, but it is also a good idea to add salt to passwords.
Okay, that was a stretch.
An unjust law is no law at all. - St. Augustine
Isn't the Late Friday Afternoon Stealth S***can Ambush Maneuver(tm) still the standard in IT to prevent this kind of thing? You know, where you log off and head out towards the car after a hard week at work when the boss grabs you and takes you into the Tiny Conference Room of Doom(tm), makes you wait ten minutes while he goes and kills your accounts, and THEN comes back in with the empty Office Depot copier paper box? Because that's been SOP at every IT department I've ever worked for. If the exit boots aren't run by paranoid IT people who know the dangers, they ARE run by paranoid HR types who don't trust anyone (that's why they are in HR). Seems a load of crap to me.
I do not deploy Linux. Ever.
It's almost impossible not to occasionally catch sight of something sensitive when you work in IT; Employee databases, email folders/logs, web browser histories, chat logs etc etc.
This one is thorny. I actually had a former boss accuse me of snooping through his e-mail after he asked me to look at his e-mail to figure out why he was getting so many spam messages (SpamAssassin was just out at the time and I was writing custom procmail rules for him).
Of course, this was before he turned into a complete ass, was 'over beers', and he subsequently denied it (of course he thanked me for the reduced spam at the time).
Moral of the story - if you deal with confidential information, make up a form and have it signed off each time you have a request to work on said information. It's the assholes who create the bureaucracy, ain't it?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If your company is like the ones I've worked for (in the UK btw), then you are underpaid, undervalued and mistreated. The whole system stinks and you get paid far less than people who've a tenth of your brains. So you try to reclaim a little power over the bastards. You take their passwords and read their email and then use the information against this. You've the right to do this because you can do this. They themselves have adhered to this law by treating you like crap in the first place. What goes around...
There is no such thing any more.
Employees are liability for companies, not assets, but thing that damages bottom line.
If there is no trust between employees and employers there is no integrity.
Anyway, corporations are not human beings just organizations to make money
> The survey found that more than one-third of IT professionals
> admit they could still access their company's network once
> they'd left their current job, with no one to stop them.
Does it seem that people are villainizing the IT guys that left?
Shouldn't the criticism be levied upon the IT guys who REMAIN?
And as for snooping, it's not the snooping that bugs me, but the disclosures that sometimes follow. I was really pissed off when my boss started publicly ripping on me for the quality of some code scraps he found in my documents folder.
I didn't mind that he looked -- I don't expect privacy on a corporate computer. But he used what he found in an attempt to humiliate me (which failed since the rest of the department knew that the code was something that I was reviewing from a new intern).
I am sure Ken Thompson still has access to Bell Labs' information.
I guess a few of us may be a bit young to remember this one.
The guy was not authorized for the use he made of his login rights. THE USE WAS NOT AUTHORIZED. In the settlement, Westjet agreed that what they, and their employee, did was illegal. The question here is what anyone has the right to do.
I agree with many of the people before me. I do not accept keys to client locations unless I am onsite more than a month. I do not accept domain administrator passwords, I ask for a unique admin account with delegated rights. And I do not snoop into files.
Just recently I went to my boss and told him that our ex-HR person's home directory was wide open. I pointed out to him his hire letter and more from my other collegues. I almost did not approach him about it for fear of repricussions. However, I did not have any more than domain user rights and found it using Vista's new desktop search.
As the IT guy, I am constantly exposed to data that, personally, I'd rather not see.
A big one is emails. Got an administrative staff member moving to a new computer, one of the things that I have to do is move all his/her email settings to the new machine, and ensure that her mailbox (if it's POP3) and address book make it over. Even if it's something like an IMAP account, I still need to test that the username/password and settings are correct.
Generally in most cases I just catch a glimpse of the mail headers, etc, but you never know what you could have access to when copying a user's confidential files. In cases where I've had to do data recovery it gets even harder to avoid poking around, as one has to at least partially verify that files are being restored intact, etc.
The IT department has access to a lot of things, and frankly a rogue IT Dept member could very easily read/filter his boss's email, documents, and pretty much anything else. The best policy for data security is to hire people you can *trust* with your data, and to treat them well (I'm sure we've all heard heard stories of what disgruntled IT dept employees have pilled off).
Cool!
I wash dishes for a living.
- - - - - {sotto voce} - - - - -
It's okay, I'm still in tertiary education. Plenty of time for a long-term career in data-entry.
THUD~*
> The survey found that more than one-third of IT professionals admit they could still access their
> company's network once they'd left their current job
Did they say why, or was it a yes-or-no question?
If it were a yes-or-no question, stated along the lines of "If you left your job, would you subsequently still have the ability to access your employer's network?", then I would have to answer "yes", but this has nothing to do with my being a snoop and everything to do with my employer not having anyone else on staff who understands security AT ALL.
As an IT guy (_the_ IT guy, actually -- we're small), I understand the value of passwords, but my coworkers view them as an impediment to convenience (which, granted, they are) and little more (which is a mistake). If I quit, there is absolutely ZERO possibility they would change the passwords. Two or three years ago there was a certain password that we knew for certain had been compromised and was being actively abused, and it took me upwards of six months to finally get permission to change it -- and when I did... well, you have never heard such whining as then ensued.
There's also the small matter of password quality. If it weren't for me, most of the passwords would be short dictionary words strongly related to the nature of the organization.
In my experience, the IT department is the only portion of the organization that knows or cares ANYTHING about security. This has nothing to do with the IT department being snoops and everything to do with the perspective of everyone else in the organization.
And it's absolutely not just because non-IT people don't understand computers. Computer-systems security is not the only kind of security they don't understand. Think in terms of locking the money in a safe every night and then keeping the safe key in a desk drawer ten feet away and NEVER EVER changing where it is kept, not in the entire time I have worked there. They did finally start locking the office door most nights (but NOT every night, because certain mornings there's nobody there with a key, and they HAVE to be able to get in there) after there were two unexplained thefts, which might or might not have been inside jobs, it was never determined. (I suspect they were probably NOT inside jobs, because it's been months now and no repeats. A thief usually can't stop stealing, so that probably means it's someone from outside the organization and they've moved on to steal elsewhere. But that's a guess.) And the staff were never careful about letting the general public see where the money was put at night when they were getting ready to close up. (Put the money away AFTER closing? Heck, no, that would mean the employees would have to stay in the building after closing for an extra thirty seconds.)
I don't expect non-IT people to understand about arcane technical details, like what a firewall does or how a worm differs from a virus. That's why you HAVE an IT department. But a total lack of interest in anything vaguely related to any kind of security as another matter entirely. If that's the environment, then of COURSE the IT people are going to be able to get in (to the computers, to the building, to the money, to whatever) after leaving, not because the IT people are snoops, but because no precautions are taken against it.
And I said I would still be *able*, if I leave (or am fired), to get into the network. I didn't say I'd DO it. You have to watch out for that sort of thing in the wording of questions too, because IT people take things fairly literally. How you ask the question actually matters.
Cut that out, or I will ship you to Norilsk in a box.
fo shizzle
Maybe it is just me but I've always considered it unethical to even attempt to log in to a previous employer's system. After all, I did a job, they paid me, and now our relationship is over. It annoys me when people brag, "yeah, I can still get into my old accounts." Like that is some impressive feat of engineering.
People need to grow up and gain some ethics. After all, do you go back to an old apartment with a spare set of keys "just to see" if you can unlock the front door?
As a DBA part of what I do is actively monitor outside query executions to relation to server performance. Really wicked looking monitors display this information constantly of the external system, internal users come by asking if I'm able to see what they're doing and I give them the honest answer of "Yes... But you guys aren't that interesting." They automatically assume that because I can be big brother that I AM big brother.
I only monitor specific user activity if they complain of performance problems. But, the monitor for external user activity is always up so they think I'm always watching them. It's all about perception.
Ask not what you can do for your country. Ask what your country did to you
Maybe they proved their point about access to the departments data. But they didn't prove to me that they accessed the data in order to commit harm to the business. There is maybe a slight number of ex employees that still have access that you probably need to worry about more. Those will be the ones, that would never admit to being able to access the data.
Cyber-Ark Software has a lot to gain by inflating the risk.
These things are all too common. I used to work for a rather large ISP doing simple "level 1" technical support. I worked there about two and a half years before the place was bought out and the office moved about 45 miles away and I decided not to continue working there since I didn't want to move or drive that far. FOUR YEARS later i STILL have an ftp account on their server, webspace and last I checked....a dialup account. Since there was also an issue during the "move" there are several people who now have free dialup accounts, email & webspace and have never been billed for it to this day. But as far as snooping goes, I am guilty as charged for poking around all too much. Infact one time a buddy and I modified a few programs and were able to get everyones email password, see what they were doing, modify traffic and so on. Actually if we had any hostility in mind we could of shut 90% of the place down on demand without anyone being able to tell how it happened or who even did it. Of all the things that we ever found wrong with anything there almost none of it was ever fixed and that is still the way everything there operates to this day even though they handle 100,000+ customers
It would be interesting to see just how many security holes go unpatched because the new IT guy takes an interest in the vulnerability. For example, let's pretend I'm the big cheese admin leaving the company, and I have a nice little backdoor that I leave open for my own dirty uses. My replacement finds my backdoor, and is faced with a few options:
1. Close the vulnerability and stool me
2. Close the vulnerability and keep quiet (to keep management from panicking)
3. Leave it open and ignore it (unlikely)
4. Leave it open and exploit it
And if the new guy is really young, there's always:
5. Leave it open and tell all his friends about it, get busted and spend the rest of his life doing crap jobs because he now has an ugly criminal record
But seriously, I'd be willing to bet a good portion of the new guys, maybe 25% or so, would simply take advantage of the vulnerability for their own voyeuristic tendencies. I dunno, maybe I've worked with too many skeevy techies, my perception could very well be skewed.
-Billco, Fnarg.com
Be the security Nazi...watch how fast you get promoted and lavished with praise and money. Here is a template.
In still fear by over promoting the risk.
Hire a aduiting firm to tell you what to do.
Install keyloggers on each workstation and create the corporation's largest database. Then implement a sexy program to find "bad thoughts"
Fire a few people and put the fear in your employees.
Who cares if it has nothing to do with the business...we at war.