Slashdot Mirror
10% of IT Pros Can Access Previous Jobs' Accounts
dinscott writes "According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users' electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. It's no wonder then that half of them are concerned about insider threats to network security in their company's current infrastructure! But one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization."
but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?
Admin
Passw0rd
My last action in my previous sysadmin job was to disable my own old accounts. If I find that they're accessible to me again, it means that:
I have a memory that absorbs passwords. I know that two years down the track after I left one company they called me asking for the Directory Services Restore Mode password. This was all well documented when I left. From this same incident I also know that the Admin passwords and the remote connection were all still using the same settings as when I worked there.
Not surprised in the slightest.
Cheers, Chris
Today's top news is that network security isn't - administrators do not audit accounts or access to ensure that only authorized people can access the company's equipment.
In other news, HB Gary is in the market for new network admins and security tools.
This is why it's important to implement regular audits of systems. A financial or health-care institution should do user-access audits a minimum of every 90 days. Password changes should obviously be set to a fairly regular interval as well but, and even more important, there needs to be a checklist with dummy-proof instructions for the process of removing access of any terminated employee. As systems change the procedure should change, too.
Loading...
I suspect that my old accounts are still active but I've never checked. It's unlikely that anyone would notice but there are harsh laws against it.
It would be interesting to know what proportion of accounts are still active amongst people who've looked. I'd expect it to be more than 10%.
I suspect it's higher. People quit because they're dissatisfied, and they have options. Which means that those who stay behind are generally those who have fewer options, and now even more work. How likely are they going to be even thinking about changing passwords?
Just this morning I got another set of auto-emailed warning messages from a server where I used to work - and yes, I told them to take me off the list and change the passwords. Since I'm still on the list, how much you want to bet they don't even know how to change a password?
If people are using passwords to log in remotely, your IT infrastructure is already broken.
-- 'The' Lord and Master Bitman On High, Master Of All
Even though that's the case (and I'm actually surprised the number isn't higher, considering my own experiences), the real revealing thing about this is that the VAST majority of IT professionals are professional enough not to take advantage of this or to retaliate against former employers. With the exception of a few high profile cases, almost all IT workers do not use these backdoors for sabotage, theft, etc.
SJW: Someone who has run out of real oppression, and has to fake it.
It's not much of a surprise that IT departments are sloppy with their security practices. The rational action would be to change the passwords when somebody leaves the department. But IT folks (I'll over-generalize and accuse everybody) are often more concerned about their user's practices than their own. Someone I know got a phone call recently from a person at a company she retired from in 2006. The caller asked if she remembered a password from one of the company's key business systems. Duh. Then there are the IT departments that leave the admin password set to the vendor's default. Duh. When I worked for TWA in the 70's the all-powerful user ID for the reservation system was 1234TW, and so was the password. Duh.
It was my previous employment at a "security firm" that got me hired by Anonymous. ;)
It's always been a problem, and I see it hasn't changed. One of the things I remember from leaving one place a decade ago was just how many systems I had access to as a function of my job as a system admin, and the number of user accounts with that - including support vendor accounts. Even though I was ethical enough to tell them what I had access to, and that they needed to change all those passwords, it turned out that they didn't. I learned that when I was recalled as a contractor, and it turned out I didn't have to get a set of new passwords for the system, about half of the old ones still worked. Even worse, the ones that still worked were ones that gave me root access.
And besides, you can't prove anything
I have a customer who stiffed me a few hundred bucks for sysadmin work, and he has yet to change his passwords. I doubt he even knows how. I ran across one of them a while ago and sure enough it logged me right in to the account for his colo provider. I did nothing. In fact I even notified him that he should change his password and "oh you still owe me" and never heard a word.
"Hello, my name is Inigo Montoya. You stiffed me money. Prepare to be Pwned!"
Nobodies Prefect
Tidbits for Techs Technology Blog
I'm not that surprised by this. I still have access to the network from one of my previous jobs, but it's because they specifically wanted me to still have access in case they wanted help. At another job, it took a while for my account to be disabled because I was the guy who would have normally disabled accounts. I had assumed my boss would disable my accounts when he left, but it took him a while.
It really wasn't that big of a deal, though. I left under amicable terms, and even if I hadn't, I'm a professional. The reality is, even when I still had some kind of access, I had no interest in doing anything with it. I always very relieved when I leave a job-- relieved that I can cede all my responsibilities, never log in again, and never fix another problem. Really, it's always bad security to give unnecessary access, but sometimes you need to assess the real threat.
10+% of IT "Pros" aren't really that professional if they're going back to their old accounts to see if they can get in.
The computers of companies where I used to work are beyond the event horizon. I would never even try to log into them without some kind of written request for my former employer.
Why are you letting these clowns ruin our country?
I used to work for a bank and all of the branch machines used the same default admin account. Even the kiosks in the lobby. Any customer can walk up to them and gain access.
Last year I actually lost a client for being too security conscious. They were a part-time client and only usually called me when it was an absolute emergency...most of the time when a problem happened they would try and fix it themselves, make it worse then call me. I tried to talk them into letting me come in once a month to patch and update on a scheduled basis. I was told I was trying to fleece them and pad my hours and that they felt they needed to take IT in another direction.
Nearly a year later I am still receiving backup notices, a few ,months back I found out accidentally that the root password hadn't changed when I ran a maintenance script that I used to do a resources audit, forgot to change the account info to a different client. I called them right away and instead of "thanks we will take care of it" I was told that I was hacking and that if I didn't stop they would report it to the police. I even tried talking to their new IT guy (one of the owners nephews) but he told me he was not allowed to speak to me and hung up.
I'm actually worried about the former client but am completely at my wits end about what I can do about it and frankly i'm worried that when the inevitable happens the first person they will attempt to blame for any disaster is going to be me. For now all I have been able to do is document my efforts to get them to fix the issue.
Where I work, we have 2 passwords for most users.
1) LDAP based - controls access to all systems.
2) VPN - remote access.
When a user leaves, I "lock" the VPN and LDAP accounts. I check which email distro lists they are on and remove them and add their boss instead.
Then I set a reminder in the shared admin calendar for a year later to delete the account. We're small.
Every machine has a different root password - 30+ random characters, stored in a KeePassX DB. We never use it after system setup. Remote connections to root are prevented. We all connect with our personal accounts then use sudo for admin tasks. Service accounts don't generally allow direct logins, but ssh-key-based connections are configured for selected needs like backups.
We have less than 100 servers and only 10 NEs, so anything too complex would be a non-starter.
Perhaps I have a simplistic view - enterprises with thousands of network elements and man thousands of servers would be different, but the principles would be the same.
When I leave a place, or a contract is over, I usually work it into an email to request my credentials be removed, or account disabled. When something goes wrong, the first thing everyone does is point a finger at the last person that left. If my account has been disabled, it's pretty easy for me to prove my innocence and not waste time trying to convince anyone. Also puts a little more weight into your argument when you produce an account revocation document which a company was negligent in following through with. Doesn't sound like much, but makes a *huge* difference when the witch hunt starts.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Let's have full transparency and accountability. Enough of having a society of secrets. Now is the time for opening secrets. Secrecy breeds abuse.
I know for a fact that a dev guy that left our company a month or so ago still has admin access all over the place. I have been removing him from accounts over which I have control, but I control nothing of any importance (twitter/facebook). Now, he was a nice guy who left on good terms and we still contact him for help from time to time, so I'm not really worried. But some weirdo who gets fired and has the same access could do some serious damage.
I'm hoping that 10% is actually a low number due to the fact that a real "Pro" doesn't know because they haven't tried. I liken it to those high school graduates who go sniffing around their old high school, roaming the halls, checking to see if their old locker combination works, etc. If you have been asked to leave and haven't been specifically asked to test your login capabilities why would you be poking around in the first case?
When I worked tech support in college, we caught a former student employee logging into the help account. The guy running it changed the password...but it stayed that way for many years, at least 5 years after I left the job and I could still access the account.
Is it my responsibility not to disclose my password to anyone else, after I have left?
Korma: Good
When I left my last job in September, at a big European software and IT services company's office in Pune, India, I had to get the IT department's signature on my "leaving papers". I went to their office, got a signature and my network account was disabled before I even got back to my desk...
My teammates kept offering me their computers to surf the web to pass the time, but I declined. I told them if my account was disabled, I didn't want any suspicions on me for using one of their computers in case anything went wrong. Better that I just stick to the rules and sit at a locked computer chit-chatting with my team until it was time to go. And then the computer was physically removed from the desk before I was...
On the other hand, at the computer I worked at before then and left in 2007, as far as I know some of the developers are still using my computer and account for the work they picked up from me... I thought I modified the program and wrote good enough directions they could've done it from their own systems, but they liked the reliability. Whatever...
Remember, the name is Steve Jobs actually.
Have copies of companies assets in their possession. OR physical assets of the company still in their possession.
I was cleaning out some junk data the past weekend, went through my archive of 900+ CD-R's of the past 14 years and found several discs that I shredded as they contained company data from old employers. I also found a binder with a printout of some sourcecode that was for a old job from before 1995.
I dont worry about the guy that can access a server at work, I worry about the guy that leaves the job with a 64gb thumb drive that has the entire customer database on it.
Do not look at laser with remaining good eye.
Higher security limits access to regular people. Provides exclusive access to a few. And to an elite of security people. Both will use their power to their advantage, and people's disadvantage. Secret information is secret weapons. Produce democracy. Publish the data.
When you work in the trenches with a tight-knit group of geeks sometimes it makes sense to leave a key under the mat. I have only once used my still-active credentials, and it was to shell in from home to help a former coworker in a pinch, at his request. He was half-way driving from one location in the middle of nowhere to another, a good 30 minutes from the nearest network connectivity, so he used his cell to call me and ask me to run an urgent but simple sysadmin task for him. No problem. Part of the professionalism of the job is being willing to stand by your work and your coworkers even years down the road.
---
Play Six Pack Man. I
I still have a full administrative access to an IBM passport account at a company I left 3 years ago. After the third time I mentioned they should remove me, I gave up and figured, if I ever decide there's anything I need, they can pay for it.
Baseless self confidence kills more people each year than bathtubs.
After leaving my last job (a school, on good terms) they'd closed down my personal accounts before I even got home. But all the master admin logins and passwords are still good, as well as all the test users I set up. I can still nip in and yoink some educational resources if I need them.
I could probably still delete everything if I were so inclined, they'd have back ups so it would just be an annoyance but still possible, and easy which is probably the worst part.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Most places will happily give you every password in the world when you start a job there. And sometimes the "intermediate" stage between you leaving and someone else doing your job is filled with outside contractors and random people who "need" your passwords.
Whenever I leave an employer, I make a BIG list of everything I know in terms of passwords, passcodes, keys, etc. and compile it on paper or a CD. I put literally everything in there, even down to little foibles of the system and the reasoning for strange configurations. I then furnish the boss with one copy of that CD, hand him another copy to "put in a safe place" (usually a safe) and then leave.
I did this at my last workplace. They were getting increasingly silly and employing people with zero expertise, and I already had another job already lined up so my entire notice period was spent house-cleaning and compiling lists while taking care of the mundane jobs.
Technically I reported only to the headteacher of the school in question, having been employed by him without any formal assignment in a staffing structure (to the point where the local borough phoned up to complain that I was earning too much for any of their pay-scales and had to be put on my own unique one).
When I left, there was no replacement for me (because they weren't interested in employing the only guy out of all the candidates that *could* do my job because he had formerly worked in Tesco's supermarket rather than sit on his arse in the middle of a recession) so I handed off to the headteacher. This immediately caused an argument because one of the new staff who was the new "second-in-command" there (and that decision was partly responsible for me wanting to leave in the first place!) DEMANDED the "admin password for the network".
He wasn't an IT guy. He knew nothing about computers at all. He just wanted it because he was sure that the dozens of digital voice recorders that he'd bought on a whim (without IT authorisation) could be made compatible with the non-networkable, kiddified, decades-old audio editing software he'd bought on a whim (without IT authorisation) on the network he didn't know how to manage, no matter how many times I told him they were incompatible. He was convinced that if he somehow got the "magic" administrator's password and then let 1000 kids loose with it so they could listen to themselves talking, it would solve his problems with not teaching part of the IT curriculum.
Obviously I must have been deliberately lying when his DRM'd-AAC-only recorders couldn't be opened in a program that only took WAV's (not even MP3's!) and that an intermediate conversion step (which he DEMANDED shouldn't be necessary and refused to use) was required.
Apart from the fact there were three networks, there were dozens of different passwords, and he wasn't getting *ANY* of their passwords until I was way outside the building and long gone, I had a duty to protect the information secured by those passwords (information on kids, people's salaries etc.). If you read the rules precisely, that means that I had to hand off ONLY to the headteacher, who could then hand off passwords to others as they saw fit.
So I did just that, in the process making my own day by telling the guy "No." even if he WAS second-in-command there (he didn't seem to understand that I didn't report to him, no matter what he thought of that idea). He was rather miffed. I also, with the head's permission, gave a copy of the CD to the lead governor of the school who was a big-iron IT guy for his day-job, that we both knew we could trust - he would be fixing any major issues that occurred in the school until they could find a replacement and he was there to sign-off on my hand-over.
A week later, a phone call from the second-in-command. He'd got the administrator password, tried it out on several PC's and couldn't do what he wanted (ignoring the fact that he wasn't using ANY of the network software management that we had in place). So he demanded that I give
Why would I want to?
The crazy thing is that they were so hung up on security on everything else that some of the upper management would keep important documents on a floppy disk in the filing cabinet because "It can't be stolen if it isn't online"!
That's funny. I've seen dozens of instances of floppy discs becoming unreadable. The best is when it's towards the end of a 23 or so disc MS Office install.
Even though it's been 6 years since I've worked there. A few months ago, I ran some LDAP code that was based on a big intranet package that I built for the company. I had neglected to change the LDAP server address and it still pointed to the LDAP server at the office. It connected and walked the LDAP tree accordingly. So 1) They never changed the LDAP manager password. 2) Actually disabled the firewall rules on both the LDAP server and the edge router that kept people from binding to the LDAP server.
I built everything there to use LDAP as an SSO. The half-dozen intranet sites, email, router TACACS+, and root access on 20+ servers.
I was tempted to send the information to Anonymous or alt.2600, since the company and I parted ways on bad terms. But I don't feel like going to PMITA prison.
Do you mean one out of ten of us can acces Steve's account in his previous company? I guess it has already been disabled ;-)
They shouldn't need prior work from a company to access their accounts any more than they should have the desire to access accounts from a company they left. Kind of like Plato's "I can kill but I have no desire to kill".
I wouldn't be surprised if that 10% is more a theoretical number of "could" log in if necessary than "did" log in. I think it shows how trustworthy IT professionals are as a group.
If only the company who commissioned this survey happened to sell a bunch of account and identity management tools.... Oh, they do? What luck!
I wouldn't be surprised if that 10% is more a theoretical number of "could" log in if necessary than "did" log in. I think it shows how trustworthy IT professionals are as a group.
In which case, I'm wondering why they think they can, if they didn't try it?
Are they just assuming that their replacement is incompetent? Did they intentionally leave a back door that they assume is still there?
I wasn't much impressed with my replacement at my previous job. I wouldn't be surprised if some of the admin accounts haven't been changed. I wouldn't be surprised if I was able get in to my old employer's network. But I don't know that I actually can. And I certainly wouldn't have answered in the affirmative on any kind of survey.
"Work is the curse of the drinking classes." -Oscar Wilde
A lot depends on what the individual has done in his position. There could be master passwords for networking equipment, and changing those passwords should be trivial, but it could impact monitoring scripts. And really, automated scripts are where closing accounts or changing passwords could bite a new administrator in the ass. Who knows what hidden problems could crop up once you make a change, and since you can't read the current password, some of those broken scripts could end up unfixable without a complete rewrite. Granted perfect documentation and best practices would solve this, but that's not always the case if your IT worker is over-worked.
I shut down my own access myself--as /the/ admin, of course I can do that. Unsupervised. I didn't even tell anybody. Sod them.
Sounds unlikely high. Anyway, I assume Steve is mightily pissed off at this news?
Before leaving my company, I implemented a forward rule on my mail account so I would get any new mails untill the account was closed. I had lots of contacts and there is always someone who isn't aware that we left, that way I could warn anyone who mailed me.
To my complete surprise, 3 months after leaving I received a user and password for the VPN network which allowed me to log in to the corporate network and do whatever I pleased.
Why, you ask? Well they hired someone with the same name as me (first and last) and instead of deleting my account and creating a new one, they just reset the password and gave him my old account.
If I hadn't warned the IT Staff at my old company to remove the forward rule, I would still have access to everything...
I was a second level network operations tech at an ISP, which meant I had access to just about everything we had except the core switches and routers. I was able to access any of that stuff for over a year after I left. I even told my fellow co-workers who remained with the company and they forwarded that information to management. Nothing was done about it for over a year.
Eventually they changed the whole login scheme so I'm guessing that's how my access ended, but I was shocked that they weren't more on top of things like that.
I know I still got access because they called me from a previous job if I could help them out and I just tried my login during the call to see what was going on and it was still there. I just thought "oh", fixed the issue and mailed that I still had access and left it at that.
I am a pro but not a sys admin. If I do not work for them, I do not have a need to access their servers and so I don't. Not very hard. Disgruntled? Even then I wouldn't because it would be against the law and could seriously hurt future employment.
The trick therefor for companies is to both have good account management AND hire professionals who care about not becoming a criminal.
Seriously kid, to anyone who read this, you just gave a massive reason NOT to hire you.
Do I as an employer constantly have to worry if it is that time of month for you?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Exit procedures with most companies vary from bad to non-existent. Hell, I've still got my vpn token and access credentials to most of the corporate core systems. Mid-level admin access but I could still cause an impressive amount of damage if I decided to get disgruntled.
The company I'm currently working at hasn't changed the alarm system code in 10 years. They've fired several vengeful people in that time, plus we've never modernized with a facility access logging/keycard system. Yep, 200 employees all use the exact same master key that opens every door in the company.
A former employee with a copy of their physical key could access a nearby building undetected; disable the alarm; and shut down a major fiber backbone line between Salt Lake and Las Vegas.
If I had to guess, I'd bet there was an account left over at a former employer, but there's no way I would check, even for curiosity. Seems like they might be dumb enough to leave a hole, lucky enough to notice the access, and vicious enough to make a legal issue of it. I know they were too dumb to disable the notices to my mobile phone when a NAS went into panic 2 months after they laid me off. I called to tell them about the problem before their contract "IT guy" arrived for the day.
but how many CEOs can manage to change their passwords, assuming of course they can actually use a keyboard and set theirs in the first place?
"If...you can't be a good example, then you'll just have to be a horrible warning" - Catherine Aird
At least a couple times, I was asked if I could help even after I left.
You make it sound difficult. In my experience this happens all the time. People are too lazy and systems too disorganized to keep track or update access. They will usually just take the easy way out. I have seen many systems that not only have accounts still active for employees that have changed jobs (particularly if issuing to job types with lots of turn around), but I have seen accounts still active for people that no longer work for the company anymore. No only that, I have seen accounts still active for people that don't work any more period, that are now retired. Not only that, I have seen accounts still active for people that don't exist anymore because they are dead...
I would say that this is the rule rather than the exception. Sure if someone with super user access or something moves on, then IT may feel compelled to do something about it, but a normal account? Can't be bothered. Some use expiry dates, but they quickly get tired of renewing them for contract staff, and annoyed for having to do it for full time staff as well, who get pissed when their account up and expires one day.
I know for fun many years ago I went and checked my email through POP3 and webmail forwarding for an old (5 years+) email account through an independ ISP that I was no longer with. I ended up forwarding 5 years of old spam to myself lol. The ISP has disabled the dialup (yes dialup) username and password, but just left my account active with my old username and password. I can only assume that once it wasted enough of their server space they might go try and clean it up... then again, likely easier just to buy more HD capacity. I wouldn't be surprised if it is still active, assuming of course that the actual ISP is still around. IT folks will disable the front end thinking they don't have to bother to get rid of the actual account as they can't ever foresee them getting access again... Trouble is access can come from the most unlikely of places...
So yeah, this doesn't surprise me, in fact the only surprise is that its supposedly only 10%.
Four years later I still have boxes at a former employer emailing me the 1st of every month to let me know they're still ok and curious if I'd like to play a game.
but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?
Your responsibility for the site stopped when they stopped paying you. Really.
And besides - supposed at your current job, you took a call from someone who said "I used to work there and I'd like to suggest the following changes in your security....". Were it me, I'd thank him for his interest, hang up, make sure all my areas were ok and secure, check my backups and talk to the network people - and then the boss, and then the security people. I don't care what his intentions were or how good he was back then. He's an "outsider" now.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
After his initial prosecution, it took 13 years and a great deal of money, time, and effort for Randal to get his record expunged.
http://yro.slashdot.org/story/07/03/02/0117257/Randal-Schwartzs-Charges-Expunged
I can also get into my old apartment building too, since I'm sure they haven't changed the building security code. I don't see what the big deal is. Yes, I know lots of accounts I could log into at my old employer. Windows scheduler is dumb, so you have to run things under accounts with passwords, which means I know the passwords for many "functional accounts" on Windows that would be almost impossible for the company to change (because they'd have to go around and change them by hand in the GUI on every machine that uses them). I'd be willing to bet that the stuff that runs under my personal account that I told them to migrate .. probably still runs under my personal account there. On the other hand, why would I want to log in there? The only reason I would want to is if they called me and asked for help.
I like to memorize part of the password and write down part. It seems more secure than writing down the whole password.