Slashdot Mirror
10% of IT Pros Can Access Previous Jobs' Accounts
dinscott writes "According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users' electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. It's no wonder then that half of them are concerned about insider threats to network security in their company's current infrastructure! But one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization."
but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?
My last action in my previous sysadmin job was to disable my own old accounts. If I find that they're accessible to me again, it means that:
I have a memory that absorbs passwords. I know that two years down the track after I left one company they called me asking for the Directory Services Restore Mode password. This was all well documented when I left. From this same incident I also know that the Admin passwords and the remote connection were all still using the same settings as when I worked there.
Not surprised in the slightest.
Cheers, Chris
People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.
Go green: turn off your refrigerator.
Even though that's the case (and I'm actually surprised the number isn't higher, considering my own experiences), the real revealing thing about this is that the VAST majority of IT professionals are professional enough not to take advantage of this or to retaliate against former employers. With the exception of a few high profile cases, almost all IT workers do not use these backdoors for sabotage, theft, etc.
SJW: Someone who has run out of real oppression, and has to fake it.
This was one of our IT assistant director's ideas. I was uncomfortable about it from moment 1, but I did as asked. Someone about a year later looked at me like I was crazy when I said that that's what happened and told me to disable the account immediately.
I don't know why I'd want a former employee logging in, ever.
Lat place I worked (may it rot in Hell) I hired a junior admin (whom I like, and now feel really bad for accidentally screwing that way) whose previous company did that. It was a small organization and they'd only had him and another guy in IT. Every so often they'd pass him a few bills to login and fix something. Worked out well all around, he made a few extra bucks and they didn't have to do a panicked job search to replace him instantly. Definitely a terrible idea from a strict IA perspective, but it was a family owned company and they liked and trusted him (with good reason, he was a likable, trust-able guy).
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
I'm with you right up til you start talking about mandatory password changes. Research has pretty well proved by now that making people change their passwords regularly means they write them down. A written down password provides a worthless level of protection from from almost every attempt to get into a system. Statistically a person with a secure password they can remember is far more secure then any number of new passwords they cannot.
we are all invisible unless we choose otherwise
I have a customer who stiffed me a few hundred bucks for sysadmin work, and he has yet to change his passwords. I doubt he even knows how. I ran across one of them a while ago and sure enough it logged me right in to the account for his colo provider. I did nothing. In fact I even notified him that he should change his password and "oh you still owe me" and never heard a word.
"Hello, my name is Inigo Montoya. You stiffed me money. Prepare to be Pwned!"
Nobodies Prefect
Tidbits for Techs Technology Blog
social engineering is so very simple, and so very effective, true.
Google a mid-sized company enough to know the name, position and email-adress of an employee, and the name of one of his/her supervisors.
"Hi, it's from [network-provider] - I got a report that you where having some trouble accessing your email, [name-of-supervisor] couldn't get at his at all today - do you have a minute to perform some tests on your account ?"
People will gladly tell you their passwords, if it appears you know what you're doing and you know even a *tiny* bit about their environment, enough to make you seem legit.
It's not hard.
Last year I actually lost a client for being too security conscious. They were a part-time client and only usually called me when it was an absolute emergency...most of the time when a problem happened they would try and fix it themselves, make it worse then call me. I tried to talk them into letting me come in once a month to patch and update on a scheduled basis. I was told I was trying to fleece them and pad my hours and that they felt they needed to take IT in another direction.
Nearly a year later I am still receiving backup notices, a few ,months back I found out accidentally that the root password hadn't changed when I ran a maintenance script that I used to do a resources audit, forgot to change the account info to a different client. I called them right away and instead of "thanks we will take care of it" I was told that I was hacking and that if I didn't stop they would report it to the police. I even tried talking to their new IT guy (one of the owners nephews) but he told me he was not allowed to speak to me and hung up.
I'm actually worried about the former client but am completely at my wits end about what I can do about it and frankly i'm worried that when the inevitable happens the first person they will attempt to blame for any disaster is going to be me. For now all I have been able to do is document my efforts to get them to fix the issue.
When I leave a place, or a contract is over, I usually work it into an email to request my credentials be removed, or account disabled. When something goes wrong, the first thing everyone does is point a finger at the last person that left. If my account has been disabled, it's pretty easy for me to prove my innocence and not waste time trying to convince anyone. Also puts a little more weight into your argument when you produce an account revocation document which a company was negligent in following through with. Doesn't sound like much, but makes a *huge* difference when the witch hunt starts.
boycott slashdot February 10th - 17th check out: altSlashdot.org
A key is a password too.
Just because the machine types in "ssh-dss AAAAB3N...uxIOH1" for you doesn't make it inherently more secure. If not properly managed, it's less secure, because it goes from "something you know" to "something anyone who gained access knows".
Have copies of companies assets in their possession. OR physical assets of the company still in their possession.
I was cleaning out some junk data the past weekend, went through my archive of 900+ CD-R's of the past 14 years and found several discs that I shredded as they contained company data from old employers. I also found a binder with a printout of some sourcecode that was for a old job from before 1995.
I dont worry about the guy that can access a server at work, I worry about the guy that leaves the job with a 64gb thumb drive that has the entire customer database on it.
Do not look at laser with remaining good eye.
Yes a real PRO knows.
My desk at comcast, one I have not sat at for 7 years now is STILL empty and has my PC on it's desk logged in and running as me. I know this as friends in the department tell me that they still have not moved from my test server on my local machine to a production server so they simply still log in as me with the same password. That will teach them for hiring only MCSE's, one linux box confuses them.
They do use my cube as storage though.
Do not look at laser with remaining good eye.
People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.
At my current job, I've replaced a guy who accomplished a hell of a lot in the two years that he was here. There's a good chunk of stuff here that my boss doesn't really feel comfortable with. So he disabled my predecessor's account, instead of straight-up deleting it, in case we had to call him in for help (at which point he would have been paid as an independent contractor).
But that account is disabled. Even though it's still got the same credentials on it, and could be re-activated and used in an emergency, it doesn't currently work. My predecessor could not log in right now if he wanted to.
You'd have to be crazy to intentionally leave an account active and functioning after someone leaves the company.
"Work is the curse of the drinking classes." -Oscar Wilde
Most places will happily give you every password in the world when you start a job there. And sometimes the "intermediate" stage between you leaving and someone else doing your job is filled with outside contractors and random people who "need" your passwords.
Whenever I leave an employer, I make a BIG list of everything I know in terms of passwords, passcodes, keys, etc. and compile it on paper or a CD. I put literally everything in there, even down to little foibles of the system and the reasoning for strange configurations. I then furnish the boss with one copy of that CD, hand him another copy to "put in a safe place" (usually a safe) and then leave.
I did this at my last workplace. They were getting increasingly silly and employing people with zero expertise, and I already had another job already lined up so my entire notice period was spent house-cleaning and compiling lists while taking care of the mundane jobs.
Technically I reported only to the headteacher of the school in question, having been employed by him without any formal assignment in a staffing structure (to the point where the local borough phoned up to complain that I was earning too much for any of their pay-scales and had to be put on my own unique one).
When I left, there was no replacement for me (because they weren't interested in employing the only guy out of all the candidates that *could* do my job because he had formerly worked in Tesco's supermarket rather than sit on his arse in the middle of a recession) so I handed off to the headteacher. This immediately caused an argument because one of the new staff who was the new "second-in-command" there (and that decision was partly responsible for me wanting to leave in the first place!) DEMANDED the "admin password for the network".
He wasn't an IT guy. He knew nothing about computers at all. He just wanted it because he was sure that the dozens of digital voice recorders that he'd bought on a whim (without IT authorisation) could be made compatible with the non-networkable, kiddified, decades-old audio editing software he'd bought on a whim (without IT authorisation) on the network he didn't know how to manage, no matter how many times I told him they were incompatible. He was convinced that if he somehow got the "magic" administrator's password and then let 1000 kids loose with it so they could listen to themselves talking, it would solve his problems with not teaching part of the IT curriculum.
Obviously I must have been deliberately lying when his DRM'd-AAC-only recorders couldn't be opened in a program that only took WAV's (not even MP3's!) and that an intermediate conversion step (which he DEMANDED shouldn't be necessary and refused to use) was required.
Apart from the fact there were three networks, there were dozens of different passwords, and he wasn't getting *ANY* of their passwords until I was way outside the building and long gone, I had a duty to protect the information secured by those passwords (information on kids, people's salaries etc.). If you read the rules precisely, that means that I had to hand off ONLY to the headteacher, who could then hand off passwords to others as they saw fit.
So I did just that, in the process making my own day by telling the guy "No." even if he WAS second-in-command there (he didn't seem to understand that I didn't report to him, no matter what he thought of that idea). He was rather miffed. I also, with the head's permission, gave a copy of the CD to the lead governor of the school who was a big-iron IT guy for his day-job, that we both knew we could trust - he would be fixing any major issues that occurred in the school until they could find a replacement and he was there to sign-off on my hand-over.
A week later, a phone call from the second-in-command. He'd got the administrator password, tried it out on several PC's and couldn't do what he wanted (ignoring the fact that he wasn't using ANY of the network software management that we had in place). So he demanded that I give
If only the company who commissioned this survey happened to sell a bunch of account and identity management tools.... Oh, they do? What luck!
In an institutional setting(where a good slice of any individual's coworkers can probably obtain physical access for 10 minutes without drawing suspicion, and whatever contract cleaning service was cheapest gets absolutely insane levels of physical access, granted to the high-turnover pool of whatever poor bastards they can find to do night-shift cleaning for $not much/hour, written passwords are, indeed, just asking for it.
In a physically secure environment, though, if you are concerned primarily with internet threats(as with, say, home banking) an excellent written password can be a perfectly decent strategy(particularly if you do something like remember an ok password, then append the written-down 20-character-line-noise one... Even a breakin won't get somebody what they need...).
Ultimately, though, if it is really that important, you should probably suck it up and go with some flavor of cryptographic token + password. They aren't terribly inexpensive, and everybody hates them; but they are better.
Wrong. 99% of attacks will come from out on the internet somewhere. Having your password written down does not make these any more dangerous. Having a good password written down is far more secure than having a memorable password that you never change.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I know I still got access because they called me from a previous job if I could help them out and I just tried my login during the call to see what was going on and it was still there. I just thought "oh", fixed the issue and mailed that I still had access and left it at that.
I am a pro but not a sys admin. If I do not work for them, I do not have a need to access their servers and so I don't. Not very hard. Disgruntled? Even then I wouldn't because it would be against the law and could seriously hurt future employment.
The trick therefor for companies is to both have good account management AND hire professionals who care about not becoming a criminal.
Seriously kid, to anyone who read this, you just gave a massive reason NOT to hire you.
Do I as an employer constantly have to worry if it is that time of month for you?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
A post-it note kept in ones wallet? Secure
When I need to do something like this, I use a several character cookie that resides in different positions of the passwords. The cookie is a placeholder for an additional sequence of characters - remove cookie and insert sequence (character count of cookie and sequence should not match). I never write the cookie down. When I need to use the password, I look it up on the slip in my wallet and then mentally replace the cookie with the actual sequence of characters. This allows for strong passwords unique to each system / environment that can be changed on a regular basis. I only have to remember a smaller sequence that is commonly used - less to remember and a better chance of repetition to help enforce / refresh that memory.
Granted - an observant attacker who got possession of my password list might notice the cookie repeated in each password listed. But it does present an additional hurdle.
Sometimes the goal is not actually security. The goal is to comply with some regulation (PCI, HIPAA, etc.) whose authors did not understand security, but thought that monthly password changes, a 12-character minimum length, and no reuse for the last seven passwords in the history; makes for some fine theatre. Also, substitute "regulation" with "C-level exec" and you get a similar situation.
Yes, I actually worked at a company once that had that password policy.
Imagine all the people...
If I had to guess, I'd bet there was an account left over at a former employer, but there's no way I would check, even for curiosity. Seems like they might be dumb enough to leave a hole, lucky enough to notice the access, and vicious enough to make a legal issue of it. I know they were too dumb to disable the notices to my mobile phone when a NAS went into panic 2 months after they laid me off. I called to tell them about the problem before their contract "IT guy" arrived for the day.
Or exactly the same security as a password that is stored in Desktop/passwords.txt, anyway.
That's why I stor my passwords in a text file named PamAnderson.mpeg.
NO ONE ever even askes about it.
If you want news from today, you have to come back tomorrow.