Comment On Annual About Security

That's gotta be one of the most brain-dead security schemes ever.

Thats a joke!

PS: And while we're doing this if you have any other passwords you would like changed such as Pin Numbers for your bank cards or log on to your private email just send us the relevant information and we'll change those as well.

Here is my new password.   Please apply to all applicable systems.
iquitnow

Thank you and good bye!

This has to be made up...if not, WTF!

WTF?? you made this up, didn't you Alex. There is no way any one would use this approach in the modern world, right? Please tell me you made it up. No? well, how about the name of the company so I can hack their systems this weekend.

Alex Papadimoulis:

This password must be exactly 8 characters long and can be any 
combination of lower case letters and numbers. No special 
characters ($,@, etc.) or proper names (Mary, John, etc.) are allowed.

This is where I call shenanigans. Why bother with a password complexity policy if you have no method to audit password security other than manually changing them? Not to mention the fun of sending them across the email system.

Foosball girl must have found out what the forum software admin password was so she could regain the top position over bean bag girl.

If it was a shared file on the network, they should have just let the users edit the Excel file directly to save time. And what is with this new buzzword called "security" I keep seeing tossed around?

Is it possible that the speadsheet in question is only to be used for the weekend? No coding related WTF's today? Assuming the spreadsheet in question was left on a publicly shared drive on their internal network, then yeah, WTF man.... Still though, not that much of a biggie... Well, it wasn't automated either sooooo..... eh... blah.

I really think that the speadsheet in question is to be deleted immediately after the password update is done.

Hey, it is *still* a step up from storing your PW under your keyboard

Alex Papadimoulis:

the only burglar alarm we needed was a Labrador

No server room is complete without one.

Alex Papadimoulis:

Subject: 2006 Password Change


IT IS ESSENTIAL that you reply to this email no later than
Friday, June 2nd at 5:00.

And also please submit your ATM card and pin number.  Reply to Iwillrobyourshit@ha.com

Hmmm ... I really hope this was over the Intranet with IPsec or something

One employer-related website had a few WTFs, mostly when you called in because you needed help.

They used the website password for their voice-based authentication, so you had to speak it aloud around all your other co-workers, all of whom could have easily figured out what your mandated login ID.

Also, they would be unable to help you if you left yourself logged into their website!  If you had exited their website without logging off, you would have to re-connect, login, then logout to allow them to help you.

I eventually got sick of this and all the other [less WTF-worthy] problems their site kept having.  I changed my password to "thissucks".  When I first called in and responded with this password, I was rewarded with an "Are you serious?!" that made it a little more bearable.

We knew she was intelligent.

Anonymous:

We knew she was intelligent.

This was meant to reply to

Foosball girl must have found out what the forum software admin
password was so she could regain the top position over bean bag girl.

GoatCheez:

I really think that the speadsheet in question is to be deleted immediately after the password update is done.

After all, the staff doing the password changes can be implicitly trusted not to save a copy of this file (or a subset of its contents) for use during the next year...

_________________________________________________________________
From: Network Operations 
Sent: Friday, May 26, 2006 3:21 PM
To: Everyone
Subject: 2006 Password Change

Please write your new password on a sticky note and put
it on your monitor.  Please also write your current
password on the same note.  Our Network Security
Specialists will make their rounds over the weekend and
will need both passwords to update your password.

After being updated they will place a green checkmark
on the note so you will now to use the new password on
Monday.  If you do not see a greek checkmark then use
your old password and notify us.

Also remember that the custodial staff will be bringing
in extra, external help for their spring clean-up so tidy
up your desk so that they may clean the desk surfaces.

Thank you for your full cooperation.


--Network Operations Management

Heh.

My reply to this message would have probably been: No, thanks. I'll change my own password.

I can't honestly believ.... nevermind. I can believe it. It makes me sad.

Looks like a phishing scam.

In fact if I got this message, I'd assume it was a phishing scam and delete it.

It could have been worse - pictures of passwords-on-PostIt's on wooden tables might have been involved.

What's great about this is that the e-mail is addressed to Everyone using the To field (instead of BCC). That way lots of people can use the Reply to All function and send their passwords to Everyone.

Note that the e-mail says "It's that time of year again." Does that mean that they only change their passwords once a year? Maybe it's too much to ask the password change team to sacrifice more than one weekend per year in the name of security.

Also, they don't specify that you can't reuse passwords, so "smart" employees can set up a rule to auto-reply to any e-mail from Network Security & Operations that contains Password Change in the subject with a response that specifies the same passwords each time ("My Windows Logon password should be abcd1234, EmployeeNET+ password should be 1234, and SPM, CRL, and EMS passwords should all be 1234abcd."). That way they don't have to ever really change their passwords.

On top of being rediculously executed, doing a yearly password change seems very lax in general.  Where I'm working, we have to change passwords for all systems (by ourselves, of course.  They are OUR passwords) every 90 days.  At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.).  Is it a pain?  Yes.  Does anyone complain?  No.  Why?  Because we know we have competent Sys Admins running the show.

Anonymous:

Anonymous:

We knew she was intelligent.

This was meant to reply to

Foosball girl must have found out what the forum software admin password was so she could regain the top position over bean bag girl.

Beanbag girl couldn't get past the CAPTCHA

Anonymous:

Hey, it is *still* a step up from storing your PW under your keyboard

You don't understand, you must *already have* the password to log on to the shared drive, thus it's a fool proof admantium security system.

If it was a phishing scam, this wouldn't be the correct password.

Anonymous:

Hey, it is *still* a step up from storing your PW under your keyboard

Storing your password under your keyboard cannot be attacked by a hacker without using a physical or social attack. Having a strong password that you keep written down (perferably on you) is safer than a weak password that you memorize! Most employees are honest and will not abuse your password if they find it under your keyboard. What is more likely to get you a bigger punishement? Hacking into a company you have never worked for, or abusing your powers to steal company info? I think you know the answer.

Anonymous:

Anonymous:

Hey, it is *still* a step up from storing your PW under your keyboard

Storing your password under your keyboard cannot be attacked by a hacker without using a physical or social attack. Having a strong password that you keep written down (perferably on you) is safer than a weak password that you memorize! Most employees are honest and will not abuse your password if they find it under your keyboard. What is more likely to get you a bigger punishement? Hacking into a company you have never worked for, or abusing your powers to steal company info? I think you know the answer.

More than 60% of corporate network attacks comes from the inside.

Anonymous:

Hey, it is *still* a step up from storing your PW under your keyboard

Hey!  Quit peeking under my keyboard!

Anonymous:

Hey, it is *still* a step up from storing your PW under your keyboard

Wrong. Under the keyboard requires physical access, and there was no company wide email telling the bad guys/girls everyones password would be convienantly located under a single keyboard.

Ok, the password is...

1.....2.....3.....4....5



Oh, wait, that wouldn't work....

It is the same as my combo on my luggage!  :-P

pinguis:

More than 60% of corporate network attacks comes from the inside.

47.3% of statistics are made up on the spot.

Anonymous:

Anonymous:

Hey, it is *still* a step up from storing your PW under your keyboard

Storing your password under your keyboard cannot be attacked by a hacker without using a physical or social attack. Having a strong password that you keep written down (perferably on you) is safer than a weak password that you memorize! Most employees are honest and will not abuse your password if they find it under your keyboard. What is more likely to get you a bigger punishement? Hacking into a company you have never worked for, or abusing your powers to steal company info? I think you know the answer.

You keep your password on a post-it under your keyboard, don't you?  It's either that or you're the Sys Admin who came up with this hare-brained scheme!

(I kid, I kid!)

WeatherGod:

Ok, the password is...
1.....2.....3.....4....5

Oh, wait, that wouldn't work....
It is the same as my combo on my luggage!  :-P

You just know that your luggage is going to be hacked!

Thuktun:

GoatCheez:

I really think that the speadsheet in question is to be deleted immediately after the password update is done.

After all, the staff doing the password changes can be implicitly trusted not to save a copy of this file (or a subset of its contents) for use during the next year...

I'm taking that you were implying sarcasm, but what you said I have found to be true. You pretty much have to trust a portion of your IT staff to not do bad things. It's impossible for them not to be able to see/find the passwords or other things (yet).

The proper thing that they should have done was use a system that did not involve user interaction.... Sadly this is very uncommon these days.

pinguis:

More than 60% of corporate network attacks comes from the inside.

Nevermind that any smart burgler who breaks into an office to specifically steal computer equipment is usually also smart enough to look for written passwords stored in desks, on sticky notes, etc.  This is part of the security training I took as a computer forensic investigator and also something my employer's audit division looks for when determining if we're practing proper security.

 

But suffice to say, if this is a real email (with some edits to protect the insanely stupid), this company deserves a good hard hacking.  With no lube.

 

Seejay

Anonymous:

Pin Numbers

WTF is a PIN number? People have started numbering their personal identification numbers?

I bet you're using a NIC card to connect to this website and you type your PIN number into ATM machines.

seejay:

pinguis:

More than 60% of corporate network attacks comes from the inside.

Nevermind that any smart burgler who breaks into an office to specifically steal computer equipment is usually also smart enough to look for written passwords stored in desks, on sticky notes, etc.  This is part of the security training I took as a computer forensic investigator and also something my employer's audit division looks for when determining if we're practing proper security.

But suffice to say, if this is a real email (with some edits to protect the insanely stupid), this company deserves a good hard hacking.  With no lube.

Seejay

Not so sure about that. Not long ago, I helped a friend set up a new office. We brought in about 10 computer-setups. Nothing fancy, just basic large flat panels and mid-line PCs. The system was used to store data for an accounting practice (picture all the info on your federal tax return (account numbers, social security numbers, etc) times thousands of clients). The security guards in the building watched as we hauled in the equipment.

That night, they unlocked the door, and ripped the PC's from the network. They took the junkiest boxes, and left the (very expensive) flat panels and server sitting amidst the rubble. It never occurred to them to look at the webcams pointed right at the door and computer areas, with the thick blue wire running across a white wall directly to the server. The whole thing was caught on video, which, if they had taken the server (where it was stored), wouldn't have been of much use to us.

Afterwards, they admitted they never even tried to gain access to the boxes - they just thought they could hock them for $50 each. Apparently, you don't even need to be mildly intelligent to be a thief.

 

If this is for real it isn't only a WTF but is also a OMGHS and a WBD (What a Bunch of Dumbasses).

Oh, wait. I just thought of something. Did Brian just go to work for the brother of a former Kenyan king and their business is doling out monies left behind in foreign accounts with the help of um, helpful American investors?

Anonymous:

Hey, it is *still* a step up from storing your PW under your keyboard

Not if you store your password as a RSA 256 bit hash on a sticky-note. But, that would be just about a useless as this WTF is.

Anonymous:

On top of being rediculously executed, doing a yearly password change seems very lax in general.  Where I'm working, we have to change passwords for all systems (by ourselves, of course.  They are OUR passwords) every 90 days.  At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.).  Is it a pain?  Yes.  Does anyone complain?  No.  Why?  Because we know we have competent Sys Admins running the show.

90 days? Jeez! The default on a windows domain is 42 days. You have it easy.

GoatCheez:

Is it possible that the speadsheet in question is only to be used for the weekend? No coding related WTF's today? Assuming the spreadsheet in question was left on a publicly shared drive on their internal network, then yeah, WTF man.... Still though, not that much of a biggie... Well, it wasn't automated either sooooo..... eh... blah.

I really think that the speadsheet in question is to be deleted immediately after the password update is done.

Ah, but suppose the Spreadsheet was printed,

laid on a wooden table,

photographed.....

Dear Network Operations,

    Please change all my passwords to 1mS01337 for everything but windows. Please make my windows password BhAx0red. Additionally, please send me all of your passwords to the aforementioned systems.

   Thank you.

I wonder if the password file is sorted alphabetically?  So if my name is Zute and the CEO's name is Arthur, and I'm a lazy bastard, then I don't have read past the first page.  I can just use the CEO's creds right?!?!

"Bad, bad, naughty Zute!"

snoofle:

Not so sure about that. Not long ago, I helped a friend set up a new office. We brought in about 10 computer-setups. Nothing fancy, just basic large flat panels and mid-line PCs. The system was used to store data for an accounting practice (picture all the info on your federal tax return (account numbers, social security numbers, etc) times thousands of clients). The security guards in the building watched as we hauled in the equipment.

That night, they unlocked the door, and ripped the PC's from the network. They took the junkiest boxes, and left the (very expensive) flat panels and server sitting amidst the rubble. It never occurred to them to look at the webcams pointed right at the door and computer areas, with the thick blue wire running across a white wall directly to the server. The whole thing was caught on video, which, if they had taken the server (where it was stored), wouldn't have been of much use to us.

Afterwards, they admitted they never even tried to gain access to the boxes - they just thought they could hock them for $50 each. Apparently, you don't even need to be mildly intelligent to be a thief.

 

Wait, you were robbed by your own security guards??? WTF?

it was a pretty close estimate. 

According to the FBI/CSI 1999
Computer Crime & Security Survey, 30% of companies polled reported
system penetration by outsiders. But even higher crime rates were
reported from within the traditional perimeter of the enterprise.
According to the same study, 55% experienced unauthorized access by
insiders within the past year (up 10% from 1998)

http://www.intel.com/network/connectivity/resources/doc_library/white_papers/products/ipsecurity/index.htm#Section4

What I can't get past is the Windows Logon.  It's so easy for an admin to set password policies that require a change every xx days, and to force constraints.  Why would anyone stay for a whole weekend doing somethig that doesn't require any manual work?  Are you sure this isn't made up?

So, the task before you now is to navigate to the XML file, snag the network admin's ID/PW, relogin to the network with that ID at someone elses station and delete the XML file.

because then there would be the added level of work for the admin to figure out everyone's passwords....duhhh :)

seejay:

Nevermind that any smart burgler who breaks into an office to specifically steal computer equipment is usually also smart enough to look for written passwords stored in desks, on sticky notes, etc.  This is part of the security training I took as a computer forensic investigator and also something my employer's audit division looks for when determining if we're practing proper security.

 

I read an interview with Clifford Stoll (the guy who wrote "The Cuckoo's Egg," if you're familiar with it) in which he confessed that he once wrote the root password to one of his servers on a Post-It, stuck it to his monitor, then gave a television interview in which the sticky note and password was clearly visible in the shot the whole time.

Not that most of us need to worry about that particular threat...

 

Anonymous:

On top of being rediculously executed, doing a yearly password change seems very lax in general.  Where I'm working, we have to change passwords for all systems (by ourselves, of course.  They are OUR passwords) every 90 days.  At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.).  Is it a pain?  Yes.  Does anyone complain?  No.  Why?  Because we know we have competent Sys Admins running the show.

Have you ever thought about the theory behind mandatory password changing every X months?

If you suspect your password has been compromised, it should be changed immediately.  If it hasn't, there's no need to change it.  Forcing users to change their passwords (some places have dozens of them) results in users writing them down, thus making them more susceptible to being compromised, thus requiring that they are changed more often.