November 26th, 2003, 04:28 PM
What's your password?
I am researching common Social Engineering practices to support a proposed change to my companies AUP. One reply I received, from a programmer I haven’t talked to since my college days, is listed below. Even though this is published in Tech humor, Please remember that no matter how tight your security is – a user can set you back months with a simple statement.
This is my friend’s story:
Years ago as an IT consultant I was assigned is to write and install a mortgage application program for this local bank.
When the client software was ready, I make an appointment to install it on 30 machines at the bank's main branch and on the appointed day, I go to the bank lobby and walk up to a teller.
"I'm the computer guy and need to install a mortgage application for the finance department".
The teller points me to a security guard. "I'm the computer guy and need to install a mortgage application for the finance department".
The guard directs me to the finance department on the second floor. At the first occupied desk I again say, "I'm the computer guy and need to install a program on your PC. May I have your password?"
And at all 30 desks, without fail, the employees tell me their passwords and turn their PCs over to me-- without asking for identification or even my full name.
When I’m finished with the install, I ask to speak with whoever is responsible for security.
The V.P. in charge calls me to his office and I say, "I just walked into the bank and not a single person asked me my name, company or for any identification". "And every single person freely gave me their password. All I had to say was 'I'm the computer guy and need to install a program on your PC. May I have your password'?"
"Well, they may have given you their password," VP says, "but you don't know our system and wouldn't be able to access anything confidential."
”Let me demonstrate how easy is can access confidential information on your computer. I just need your password."
Minutes later, after I closed my personal account at the bank from the VP's computer, I turn to walk out the door.
"But how were you able to figure out our system so quickly”? Asks the VP.
Simple, "Because I'm the computer guy!"
Months later the VP's password and username were still the same!
November 26th, 2003, 09:33 PM
Thats unbelievable. Even after you let him know his weakness he still didnt change, its people like this who get taken advantage of, and I trully believe they deserve it.
November 26th, 2003, 10:08 PM
heh, maybe they figure, since you told 'em you'd think they'd go change it, and therefore did not ???
uhm yeah....there IS some "logic" in there.... LOL
November 27th, 2003, 02:06 PM
this kinda thing happens quite alot - i used to work for the largest telecommunications company in the Uk where I did credit managment - this give me access to XDirectory phone numbers, bank account details, debit card details, addresses of every residential customer that used the company. There were checks in place to ensure that you couldn't just wander in and out of peoples accounts but these checks were only for the advisors obviously managers being in a trusted postion had free access.
But on more than one occasion I needed more access than my acount would allow (I also helped out with installing new software/general tech stuff as well) so instead of the manager loging in for me and then wiating while i did what needed to be done he would simply note down his user/pass on a post-it and give it to me - this account give me full access to al systems including those of the Royal Family and Goverment officials - heck I could have refunded myself out a couple of thousand pounds to my account if i had wished.
Luckily for himI aint that kind of person but it is these lax security measures that are a sys admins greatest threat not "hackers"
November 28th, 2003, 06:29 AM
My favorite is when some genius decides to have a group acoount and password. No accountability, no trail to follow. Then people leave and no one changes it.
"Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot
November 29th, 2003, 12:00 AM
Here is my password
right before I changed it to post here
Here is a extremely small password generator I have been using for almost 8 months now and still can not believe the speed it can generate random passwords. The program is only 20.82Kb zipped! I am not trying to advertise a product or tell anybody to use it, but if you are still using the same password for the past year on every site your you visit, maybe you should look into it. Oh, I forgot, it is also FREE
Random Password Generator 1.0
for Windows 9x/ME/NT/2000/XP
(c) Dirk Paehl 2002
Random Password Generator allows to generate any quantity of passwords with one mouse click. Using Random Password Generator you do not have to think out new passwords. Random Password Generator will do it instead of you.
The main features of Random Password Generator:
- generating passwords 1-24 symbols in length;
- including special symbols (@, !, #, etc.) into the password;
- composing password using only symbols you listed in the 'other symbols' field;
- the ability to save to the text file or to copy to the clipboard one password or a password list.
I hope this helps somebody out.
November 30th, 2003, 09:14 PM
That is pretty crazy. I've had instances at school where a group account was used. Each PC had a user account for a different class period, but the passwords were exactly the same and couldn't be changed. So I implemented my own protection strategy for my "group" account on this thing. My program kept logs of login times, and even prompted a second set of passwords and noted if they were correct or not. Of course you could ctrl+c past it, but it kept logs that I would check. But to make things worse, the "student folder" for each group was on a publicly accessable drive and it was a breeze looking at the work of other students anyways. So I set up a second set of protection, but it didn't quite work out since Explorer would complain about running "potentially unsafe" ActiveX controls... And then some kid asked me for some of my code, I gave him a small sample, and he recommended it to the teacher to protect the student's folder, claiming it as his own... Unfortunately this kid also thought he could put his password into a DB in MS Access and use the password mask to protect his password... I noticed that pretty much everyone in my class had an urge to beat him up one of these days...
On a different note, that is pretty scarry. Especially seeing parts of this myself in a school environment. The one thing I've seen people protect are the passwords to their hotmail account. There probably isn't a big enough incentive to protect anything else...