Access to system

[monty400]

I have access to a system. I know the VPN password and I am in. I have local admin rights on one of the servers. I am not malicious and do not want to do anything. I just want to let the proper people, in this case the media know what is going on in this government agencies. What kinda of damage can a hacker if he got into such a system. I need this information to present it to the media. If any one can help it would be appreciated. Just an update. I was the Network Admin. The VPN password was not changed. I used a users credentials and got in to the terminal server and logged in with locally with my old admin password, how incompetent is that. So technically i have not broken in, I just walked right in. I am trying to protect the clients by exposing these incompetent people.

Thanks

[MrLinus]

A few thoughts:

1. You have broken the law by accessing that system.

2. You should be notifying that agency that they have a violation, not the media. See point 1.

3. Depending on the agency, with local system access rights you could do a lot or nothing. The local system could be a honeypot with false info in it. Or it could be a very important system that has info that if made public could cause lots of lives to be lost (then point 1 could be changed to treason if you made that info public).

[monty400]

I was the Network Admin there. I created that VPN password and it is still used. also this is a terminal box with local admin right with my old password. So it is real. A hacker can install software to capture a host of information. I am not doing this to harm anyone. I just want to point out the managerial idiots that work there.

[Linen0ise]

Good question: would you "record" your call to the FBI to report and save the recording in case they are looking for a scapegoat? Or would you report it to a whistle-blowing site like wikileaks.com that is a community of everybody including law enforcement? Your access to the system will get lost in a sea of curiosity.

[nihil]

Monty,

Please forget about it.............the media neither care nor understand......in that respect they represent the public perfectly

MsM is correct, you should inform the agency concerned. If I might be allowed to play "devil's advocate" I would look at your statement:

I was the Network Admin there. I created that VPN password and it is still used.

You were in a position of trust? as a juror I know nothing about computers, but I do understand trust and responsibility?????????????

Obviously; you found this out because you "had an old shortcut on your desktop, and clicked on it by mistake?"..............

They could live with that one because it implies that you are almost as incompetent as themselves I think that gets round a part of MsM's #1?

Another thing you need to ask is whether you left them on "good terms" or not? If you were fired or made redundant your actions would be construed as "sour grapes"; and if you left on good terms it would be considered downright disloyalty. I am afraid it is a sort of "catch 22" situation?

I have been in a similar situation but was not aware of it until I was asked to go back to the site and help them fix a problem.............they told me my ID and pass were still valid "because we knew we would have to call on you sooner or later, John"

Yeah, well.............................

EDIT:

Couple of afterthoughts:

1. Did you have a signed off site security policy on what to do when a member of staff left?

2. Was having a common VPN password a good idea? Let's face it, nobody has any regard or respect for common passwords.

I would take the view that these issues were well within the remit of the Systems Administrator rather than the management?

[monty400]

Thanks for your input nihil. No there was not any signing off any security policy.
Yes I was Network Admin. But as for one a Network Admin is responsible for the the security of a Network and management is also responsible to make such action is followed. When a user leaves all access from the network should be terminated. In the case of a systems guy leaving, access to the system should be completely closed; yes all password should be changed. Say I was a malicious person all I have to do is go to hacker bulletin boards and upload information. I am concern for the clients because it seems this agency is incompetent in providing adequate security for their systems thus potentially harming client information.

[nihil]

Hi Monty,

The lack of a documented security policy is certainly a major shortcoming, however, I doubt if the management even realise the need for such a thing. In my experience they tend to rely on their IT professionals to take the lead in that area.

I agree that when an employee leaves then their user account should be closed, and if you are going to fire someone you should do that before telling them, and escort them off the premises. I have known cases where ex-employees have wreaked havoc before their account was closed.

I guess it is not unusual for common passwords not to be changed when someone leaves, but this is for applications that can only be accessed if you have a valid account and access to a local network machine. Stuff like pricelists, inventory specifications and the like. Because these accounts don't have data entry or modification rights this approach is usually considered satisfactory.

Your guys certainly don't understand VPN, but would you expect non-IT people to do so?

I guess the real issue is that even if you can get to the server, what can you do from there? Would it expose any sensitive information?

[monty400]

There is no information on that server its a terminal server but has access to the main database that is web based; software could be loaded, such as hacking software to capture passwords and so on. I just cannot comprehend why these guys would leave such a security hole. If I were malicious and gave this information to a hacker and they were good it would be lights out then client information would be at risk. You are right that I should inform them of it but I would love to report this.

[CybertecOne]

While you are connected and logged on to the server, change your password quickly to something difficult to remember. You only have to type it in twice and never think of it again.

Problem solved.

If you do not agree, then obviously your concern is not protecting to client, or 'doing the right thing' as you want to make a big deal out of the issue, most likely for personal gain.

CTO

[westin]

I would either alert them to their problem, or simply forget about it.

I work as a network/systems admin, and there are a ton of passwords that would have to be changed if I left. There is also a good deal of trust. If I were to part with my current employer, I would probably just sever all ties, and hope for a good recommendation.

It is not worth it to me. That would make for a big gap on my resume, because of an employer that I could not list. And as MSM pointed out, there is a possibility of charges being brought. Industrial sabotage comes to mind. [I think that is what it is called here in the states...] Not to mention wire-fraud, etc.

I have been ticked at employers too, but sometimes you just have to suck it up.

I guess that is what it really boils down to. Are you just angry with your former employer, or do you care about the integrity of their systems? If the former is true, walk away. If the latter is true, send them a letter/email describing the problem, and your suggestion as to how to fix it.

Hope I didn't come off as sounding offensive. It was not my desire.

Welcome to AO.

Cheers!

westin