San Francisco DA Discloses City's Passwords

snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"

Re:Ah HA!

[WK2]

Why did the DA even have access to these passwords? Why were they not in hash form? Did Child's have anything to do with that part?

Passwords can be TOO strong.

[Jane+Q.+Public]

I attended a lecture some years ago by a Microsoft employee who was high up in their security structure.

He started his speech by asking the audience, "Passwords and policies should be made as strong and secure as possible, right?"

A show of many hands.

He said, "Wrong! It is possible for a password policy to be TOO secure. Let me give you an example. It is possible to set up a security policy in NT that requires a password of at least 8 characters, which must also be mixed case, have at least one numerical digit, and at least one non-alphanumeric character, and which will require a change of password every week."

"As soon as you implement that policy, users will write their password on a post-it note, stick it to their monitor, and replace it with a new one every week. So you see, a password policy CAN be too secure for your own good."

Re:NEVERMIND!

[rahvin112]

It's government. To think like government in implementing something like VPN you have to conceive a solution that involves the user not having to do anything (other than maybe push a button) and this includes anything other than a standard login box. Second you have to implement this in a way that the user themselves can go home and implement this solution without any site help from anyone and zero technical knowledge. (you don't send an IT person to a State Employees home, that's asking from some kind of lawsuit). Fourth the solution must be as expensive as possible, support some local business (preferable if the business owner is connected politically with one of the local leaders) and require very few extra hours from the already overworked staff.

What does that result in? Hardware VPN boxes plugged into the network router, with the users computer plugged directly into the VPN box. Costs a lot, requires pre-configuration of the box but should require no site visits, idiots can usually successfully plug in boxes with phone support only and any reconfiguration likey requires the box to be brought back into the office as the VPN keys on the boxes are likely hard coded into a configuration on the VPN device. Likely a turn key solution so you have a hefty support contract and the vendor would likely assist with deployment and any reconfiguration resulting in a nice contract fee for reprogramming all the boxes.

My guess is some VPN box provider is going to be doing a service call on every box and netting themselves some nice profit under their support agreement.

Re:Then the users will change them right back

[AJWM]

Are you sure this guy hadn't called support to have his password reset? Because "password" sounds like something they might reset it to, and unlikely for someone to forget.

Re:RTFA

[masdog]

Do they even know what those "usernames" and "passwords" are for? Did they check any documentation or did they just assume that the list was a list of individual users and passwords that Childs could use to wreck havoc?

After reading the article, it seems like the list consists of Cisco VPN group names and pre-shared keys, not usernames and passwords. To someone who isn't familiar with the technology, it would look like a username and password, and I'm sure they are counting on the technological ignorance of the Judge and the general public to keep up this charade.

It will be interesting when this thing finally goes to trial. The city is probably going to end up eating its words.