San Francisco DA Discloses City's Passwords

snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"

Ah HA!

[clang_jangle]

AH HA! See, Childs was right , he is the only competent one!

Re:Ah HA!

[WK2]

Why did the DA even have access to these passwords? Why were they not in hash form? Did Child's have anything to do with that part?

Re:Ah HA!

[_Sprocket_]

Childs' defense attorney has got to be happy about this.

"Your Honor.. I would like to direct the Court's attention to Exhibit A; the mere existence of which proves our case..."

Re:Ah HA!

[crath]

Therefore, it should be his job to keep this document so that he can provide the users(of the proper departments) with their proper access credentials.

There are NO circumstances under which one user should possess another user's password; not even an Administrator. The only exception to this rule ever allowed is when the account is first created: when a one-time use password is assigned by the Administrator; however, in a world-class IT infrastructure (such as an enterprise like the city of SF can afford to implement) an application creates and assigns a random password and then communicates it to the user via secure means (with no person seeing or having access to that password).

Dang!

[Ungrounded+Lightning]

AH HA! See, Childs was right , he is the only competent one!

Dang! You beat me to posting about it.

Wasn't part of Childs' point that password security in the S.F. government was lax and that divulging the big one in a way that would spread it around was dangerous to the network?

Given that the configurations on the routers weren't saved, the first guy to use that password on them had better be DARNED careful to get them recorded before changing anything or he's likely to break the network big time. So handing it to an administrator, who will hand it to several people, any of whom might leak it, could cause the net to come crashing down.

If all they'll let him do for a handoff is hand off the passwords, I can see how a prima donna BOFH would want to hand the big one directly to his successor, who would then spend the next week carefully recording the configs as-running before making changes or sharing the password with less-skilled delegates.

Not that it's right. But looks to me like the city is making his point for him - which his lawyer should use in a counter-argument at the bail hearing. B-)

Passwords can be TOO strong.

[Jane+Q.+Public]

I attended a lecture some years ago by a Microsoft employee who was high up in their security structure.

He started his speech by asking the audience, "Passwords and policies should be made as strong and secure as possible, right?"

A show of many hands.

He said, "Wrong! It is possible for a password policy to be TOO secure. Let me give you an example. It is possible to set up a security policy in NT that requires a password of at least 8 characters, which must also be mixed case, have at least one numerical digit, and at least one non-alphanumeric character, and which will require a change of password every week."

"As soon as you implement that policy, users will write their password on a post-it note, stick it to their monitor, and replace it with a new one every week. So you see, a password policy CAN be too secure for your own good."

Re:Then the users will change them right back

[clang_jangle]

I used to work in an office which was a complete free-for-all. Once I had some code I needed to test on a Windows machine (mine was Linux), and I saw that (let's call him) "John", who had a Windows box was away from his desk. Just on a hunch, I sat down and typed his username, and entered "password" for the password (literally). Poof, I was in! So I did my little test thing and was about to log off, when "John" appeared, smiling. He said, "Oh thank God you got my login, I've been locked out of the system all day because I can't remember my password! What is it?" It was perhaps the only time in my life I actually knew what it meant to "be at a loss for words"

These are group passwords in IPSEC profiles

[colinmcnamara]

From the referenced article - "The passwords are so-called "phase one" passwords, and must be combined with a second password to access the network, the source said. " 99% chance they are using some form of Cisco device as their VPN concentrator (most like a VPN3030, ASA or 7200 series router). If they are these passwords (one per group) are in what is called a pcf file in every employees computer that is allowed to connect. Heck, if you use a Cisco vpn it is on your computer in the following location - C:\Program Files\Cisco Systems\VPN Client\Profiles . The group pass is encrypted with weak encryption that is commonly cracked to allow linux laptops to connect using vpnc. You can do it on the web here - http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

The thing is, this group password's primary use is to segregate users into different buckets. E.G contractors may have on password, with different authentication methods, while permanent employees are in a different bucket, with their own authentication methods. The key thing, is that once this first password is provided, the end user still has to provide a unique username and password to gain access. So in effect, having the group password alone is meaningless.

On top of that, I frankly would not be surprised or peeved if a network engineer had possession of PCF files for the network he is responsible for. What is next? Is the DA going to try to prosecute him for having diagrams and configs of the network he is managing on his laptop?

RTFA

[Estanislao+Mart�nez]

Why did the DA even have access to these passwords? Why were they not in hash form? Did Child's have anything to do with that part?

From the article:

The passwords, discovered on Childs' computer, pose an "imminent threat" to the city's computer network, according to the court filing. Childs could use the names and passwords to "impersonate any of the legitimate users in the City by using their password to gain access to the system," the motion against the bail reduction states.

So, in answer to your questions: probably because the police found them as a result of their investigation, because Childs allegedly kept them in plaintext, and yes, allegedly, Childs had plenty to do with it.

Do you have any other questions? Perhaps the article answers them.

Re:RTFA

[masdog]

Do they even know what those "usernames" and "passwords" are for? Did they check any documentation or did they just assume that the list was a list of individual users and passwords that Childs could use to wreck havoc?

After reading the article, it seems like the list consists of Cisco VPN group names and pre-shared keys, not usernames and passwords. To someone who isn't familiar with the technology, it would look like a username and password, and I'm sure they are counting on the technological ignorance of the Judge and the general public to keep up this charade.

It will be interesting when this thing finally goes to trial. The city is probably going to end up eating its words.

Re:NEVERMIND!

[rahvin112]

It's government. To think like government in implementing something like VPN you have to conceive a solution that involves the user not having to do anything (other than maybe push a button) and this includes anything other than a standard login box. Second you have to implement this in a way that the user themselves can go home and implement this solution without any site help from anyone and zero technical knowledge. (you don't send an IT person to a State Employees home, that's asking from some kind of lawsuit). Fourth the solution must be as expensive as possible, support some local business (preferable if the business owner is connected politically with one of the local leaders) and require very few extra hours from the already overworked staff.

What does that result in? Hardware VPN boxes plugged into the network router, with the users computer plugged directly into the VPN box. Costs a lot, requires pre-configuration of the box but should require no site visits, idiots can usually successfully plug in boxes with phone support only and any reconfiguration likey requires the box to be brought back into the office as the VPN keys on the boxes are likely hard coded into a configuration on the VPN device. Likely a turn key solution so you have a hefty support contract and the vendor would likely assist with deployment and any reconfiguration resulting in a nice contract fee for reprogramming all the boxes.

My guess is some VPN box provider is going to be doing a service call on every box and netting themselves some nice profit under their support agreement.

The reason for password disclosure

[Hanzie]

from TFA --

The username/password combos were apparently functioning sets. The DA is saying they found them on Child's own computer. The DA is all in a tizzy because Child's could then use these accounts to sneak into the system and cause mischief without getting tracked back.

Right. The only guy in the world with God level access to this network needs fake usernames/passwords so he can 'cause mischief'?

Give me a fucking break. I can think of many reasons for him to have those combos on his personal system.

1. He's checking to see what naughtiness has already happened with those accounts
2. He's got accounts so he can log in with a lower level of access and see what's accessible
3. These are usernames/password combos that he sniffed off the network, during routine security testing.
4. These are people with accounts that have had some kind of trouble, and he's got them so he can attempt to diagnose problems linked to user level access.
5. It's a list of post-it pad's he's seen while walking around at work, and he'd been planning to inform the users to change their passwords.
6. They're the output list of a password security checker.

Apparently the less than brilliant DA's office is unaware that the GOD level admin has the ability to do anything at all on the network and REMOVE ALL TRACES IN THE LOGS afterwards. It's trivial, when you're the one who runs the tattletales.

Dear DA office: IF YOU LOOK HARD YOU'LL UNDOUBTEDLY FIND EVIDENCE TRACY EAVESDROPPING ON THE NETWORK SNIFFING AND ATTEMPTING TO ILLEGALLY PENETRATE THE SYSTEM. IT'S PART OF HIS JOB, MORONS. IF YOU KEEP BRINGING THIS CRAP UP, YOU'LL ONLY LOOK STUPIDER.

Keep this up, and Nifong will have company in the 'worlds dumbest DA's club'

Re:Suddenly Childs seems quite normal

[actionbastard]

"...because he didn't really have the authority to do that..."
But his supervisors and everyone in his department knew he was the only one -the 'go to' guy- that really had the in-depth knowledge to figure out problems and make stuff work. If they let him do that without objection or questioning his reasons, they gave their tacit approval to allow him to operate in the fashion that he did.

Re:Then the users will change them right back

[AJWM]

Are you sure this guy hadn't called support to have his password reset? Because "password" sounds like something they might reset it to, and unlikely for someone to forget.