- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Nice...
Admin
Ouch.
And this guy is DIRECTOR of security? *sigh*
Admin
how secure! it meets all the regulatory guidelines for keeping them separate (even if you mean separate to be not physically kept the same as the laptop users tape their user name/password to the notbook and the dongle shows the rsa token in a "different' media).
<captcha: oops />
Admin
I call BS ... At my old company when we used the RSA ids that was the password... kind of lame today :-/
Admin
Well a customer I'm working for has a per-user prefix along with the RSA dongle, so that's a bit more secure than this.
Admin
Especially bad is the fact that these keys are not tied to the PC at home, but rather tied to the PC you are connecting to. This gives you the capability to log into the remote network from any available PC. So you do not have to keep the token key with the laptop as implied here, you could switch laptops, but that token key is assigned to you and you alone.
Additionally, this really doesn't compltly break the security, because the token key is only part of the full passkey. You need a secret number to prepend to this in most cases. The idea is that the autogenerated number tied to your account is who you are, the secret prepended part is your unchanging passcode. Anyone knowing your password still can't get in because your changing key portion would no longer be vaild.
Now if they had that secret portion written on a sticky note and attached to the laptop, then good bye security.
Admin
Seeing what they did with the RSA key, I'd say this is a given!
Admin
We have the same thing at my company. To connect by VPN I have to enter a VPN specific password, as well as the 6 digit number from the gizmo.
This is far more secure than password alone systems since it stops any man-in-the-middle or keylogger attacks. I would tend to notice if my laptop were stolen and report it to IT.
-Jeff
Admin
This might seem obsurd but I actually work for a huge company in the UK that has laptops logins and passwords taped on the machine itself.
Admin
Its not as bad as it seems. Most implementations of RSA keys usually include a separate PIN number, that the user must enter before or after the key displayed on the keyfob. How much more secure is a key ring over a keyfob attached to a laptop power supply?
Admin
I am sure it is, here is the process for one company that does this, count the usernames and passwords needed to access.
Keep in mind the PIN and RSA is also like an userid/password pair, so this gives us 5 sets of passwords we have to know, only one of those sets is constantly changing and only two of those can be the same (local PC login and network login to the remote PC). Now figure the odds that there will be a sticky note permanently cello taped to the bottom of the laptop.
Granted if the RSA keyfob is not attached to the laptop you are still slightly secure becuase the unknown party wont be able to use it to select any of the remote PCs, but with this above solution, this is also given.
Admin
We have to log into our laptops with our network username / password. We then have to log into our VPN using our network username and a password that's a 6-10 digit user-defined PIN plus the keyfob's current value.
Personally, I put my fob on my key ring.... just as accessible (to me) as locking it to the laptop.
Admin
Oh and has anyone else realized that the picture does not match the instructions?
Take a close look, the fob is on the bigger ring that the cord is passed through, but the smaller ring was actually attached to the cord between the end and the block. The smaller ring was then attached to the larger ring.
Imagine the pinching of the powercord as people try to feed it through the small ring here. And we were worried about batteries blowing up, what about shorts in power cords?
Admin
I always thought names of companies like this should not be kept secret.
This is not your average wtf, in fact it's not even funny. This is not the internal problem of some stupid company that eventually loses its investors' money and end of story. This is about people being careless with our own money.This is felony.
Admin
I agree. This is still an improvement over username/password:
1) An attacker must physically have the secureid AND username AND pin to do an attack. So unless your username and pin are also taped to your monitor....
2) If the secureid is stolen, it can be quickly and easily revoked.
Of course, it would be far better to have it ON YOUR ACTUAL KEY CHAIN.
Admin
A few years ago I would agree because whistle blowers were protected. These days, whistleblowers can and will be sued by the companies in question. Our laws here in the USA have changed to protect the guilty in cases like this. Any attempt to correct the problem by making it public knowledge leads to a breach of confidentiality and hence monetary liability.
I say protect those that hand us this info by obfuscating the source, at least this way we at least hear about it and in some cases can figure the company out ourselves.
Admin
An even handier tip: If you jam it really hard, you can store it nicely in the PCMCIA slot. Where you store your gum and/or sticky-note pad can be a problem raised by this solution, however.
Admin
The weak (or stupid) get electrocuted and are subsequently found slumping over their laptops, twitching, enduring a (hopefully) long and excruciatingly painful death.
Admin
The way I see it, the anonymity isn't for Alex's protection or for the company's protection; it's for the protection of the submitter. Either you have to strip the submitter's initials/name/whatever, or make the company anonymous. Take your pick.
Feel free to start a similar site and don't make the WTFs anonymous, if it means that much to you.
Admin
If this is the case, I'm glad I don't live in the USA.
Of course I didn't insist that the submitter should expose himself or herself to such legal threats. It's just my natural sense of justice that revolts against laws that protect the guilty and punish those who point out them being guilty.
Admin
From the sounds of it...I'm just lucky...no RSA keys to worry about.
My keychain's already full enough for my liking.
Although I'm decent at math and memorizing numerics through patterns...
...would severly screw with me.Yeah...I know I wouldn't have to memorize it...but, I'd still have to fight the established habit of entering the previous key.
Besides...only been an intern for less-then 2 months.
So, no remote access--work load doesn't really warrent a need for it, anyways.
Admin
How about the guy with the webcam pointed at his secureID?
Admin
The constatly changing passcode is what is on the keyfob, fully displayed, no need to remember it. It changes once every 60 seconds. If you are a slow typer, most of these have a count down bar to show how long before the next change happens so you can wait for it to change and have a full 60 seconds to type it in and submit.
Admin
...ok...nvm, then...
(like I said...never had to deal with them)
But, still (to point out an edit I got into my original post)...
My keychain already has enough contents for my liking.
Admin
Quote: "...it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring."
I'd say it's very inconvenient to carry a laptop on your key ring!
Admin
I can think of plenty of times where the entire point of a particular security measure was completely defeated by the IT guys. For instance once I called to get a password reset, the IT rep told me the password would be reset and sent to my voice mail so I could call up and retrieve it. I tell them that I didn't currently have access to my voice mail (long story I won't get into here) and asked if they could just tell me over the phone. Their response "No, we can't do that as it would be a security risk". I ask how that would be a security risk and they reply "Well duh! Someone could be eavesdropping on this call". I pointed out that if someone were eavesdropping on this call, they could just as easily be eavesdropping on the call I make to my voice mail. They think for a few seconds and then suggest they could email it to my manager and then I could call her for it. I point out there is still the same problem, someone could eavesdrop on my call to my manager. They think about it a bit more and then suggest that they could send it to my manager's voice mail, and then she could call her voice mail to get it, and then call me and tell it to me. I point out that is even worse, now there are two conversations (the one between my manager and her voice mail and the one between my manager and me) on which someone could eavesdrop. They respond "Well what do you want us to do?" I sighed and told then to send it to my email, I'd get it the next day I'm in the office.
Admin
Somehow carrying a laptop, a securID, and a power brick is less convenient than carrying a laptop and a securID?
Admin
I'm waiting for some twit to get the idea of taping the rsa tag to the pc, right next to the postit with the login and passwords.
Admin
Yeah, the laptop hanging off my keyring always manages to get in the way while I'm driving.
Admin
Perchance, did you mean "less convenient than carrying a laptop and power brick"?
Admin
Oh yes, it is so much easier to carry a power supply and a RSA dongle on your keycord then just the dongle, all in all, a brilliant solution.
Admin
Perhaps winning a Darwin Award in the process?
Admin
"Oblivity"?
Admin
As long as it's postha.... posthum... $*#&%@ ... after they die!
Admin
Aye, good word.
Admin
Two-factor authentication is a Good Idea.
Taping your password to your laptop is a Bad Idea.
Subsequently defeating the two-factor authentication, while simultaneously compromising the safe operation of your power cord, is Moronic.
That said, it frustrates me whenever I see somebody do things like this. We all like to moan about IT, but IT deserves a chance to moan at us users too, because of things like this. There is no system so secure that some impatient user can't compromise it. Even if you have mandatory security training. That just goes in one ear and out the other with some people. Encrypted hard drives that have to be unlocked before you can even think about logging in, SecureIDs with secret unchanging PINs, system passwords, domain passwords, VPN passwords, secure VPN communications.... It can all be brought down by one careless user.
Which is exactly why the old-fashioned hacking attacks (exploiting social engineering) remain the most effective. You don't have to break into the system; you just need to find the laziest users.
Admin
Laptop manufacturer should wise up and create intregrated RSA keyfob slots, saving us from this ugly looking hack.
Admin
Perfectly cromulent.
Oblivity
Admin
A company I know of exposes a web page on their intranet (to all employees) that is the output of a web cam pointed towards a few SecurIDs that a handful of client support personnel need. I thought it might make sense to order up a few of the fobs and give them to the right people, so they can use them from home in the case beeper goes off, but this solution is certainly more convenient!
Admin
I'm missing the WTF here. The RSA SecureID thingie is useless without the username/password and vice versa. Anyone attaching their username/password to their PC should be talked to sternly anyway. Since the SecurID will often be nearby anyway - like attached to the keyring that is in the laptop bag that was just stolen - it really doesn't matter that a thief has access to it. I flash my around all the time since it's attached to my keys. There's nothing insecure about this.
Though I do think it's dumb to attach it to your power cord since you're going to need it on the FRONT of your computer.
Admin
Reminds me of my university days before I knew anything about encryption. We were told by the unix admins to use SSH rather than RSH to connect from one machine to another because SSH was "more secure" and that RSH would no longer be supported in about a month. So we switched but it bothered me that SSH worked "just like" RSH. I didnt know much but I did know that the SSH scheme ought to involve generating keys and using passPHRASES which do NOT get sent over the network. But we just logged in, entered our username and passWORD after connecting just like we did before.
So I read the man pages and learned how to generate public-private keys and get SSH to use these keys (that was a fun learning experience). What puzzled me was why I could remote log in with SSH before setting up my keys. But then I learned that SSH could be configured by admins to default to RSH protocol in the absence of any keys though the man pages warned that in this case all the security benefits of SSH would be lost. I asked the admins if they were planning to eventually disable the "default to RSH in the absence of keys" thus forcing users to generate keys and benefit from the extra security. After all, if they are going to the disable RSH command due to security reasons, what sense is there in having SSH default to the insecure RSH protocol in the absence of keys? They told me that it would be too much trouble to get everyone to generate keys and train people out of using passwords. They also said that they didnt generate keys or anything. They just used SSH instead of RSH and typed passwords in just like usual.
So the net result was that people experienced a slight inconvenience (typing ssh instead of rsh), received no actual benefit or protection, but believed themselves to be secure. And to think that the wikipedians suggest that the http://en.wikipedia.org/wiki/Security_theater is a recent phenomenon.
Admin
Ok...so the "OMG Factor" (sorry...couldn't think of anything else to call it) isn't exactly through the rough--like most DWTF's are.
But, for specifics...it's the fact that the director--the person you'd think would be almost obsessive-compulsive over security measures--gave the suggestion.
With the added bonus of the fire risk as the cable becomes more-and-more stressed.
Admin
:)
sry
*...through the roof...
Admin
NOT A WTF!!! The objective of this was to create a more secure environment through use of a VPN. This solution would effectively encrypt data so that crackers would have a difficult time decrypting this traffic remotely. This solution would NOT secure the laptop against cracking if the physical security was compromised. But if the physical security of your laptop was compromised, well, then most companies would be in a bad place anyhow. Not many have good enough security to keep a determined cracker away from their data.
--doc0tisAdmin
That is so awesome. You must send in a screencap. (don't worry about the security issue, just wait 60 seconds before sending it). =)
Admin
I'm disappointed that nobody mentioned the obvious solution:
Place the postit (with login and password), and rsa key face down on a wooden table, next to a sign saying "turn over for access", take a picture, print, and tape to top of monitor!
Admin
Is that a laptop in your pocket, or are you just happy to see me?
Admin
Hey, you don't even have to loose the laptop, just the power brick.
I bet that guy keeps all his private keys on that USB storage device too!
At least with SSH passwords aren't sent over the network in pure plain text, which prevents casual network sniffing etc.
Admin
Okay...so, what you're implying is that a PostIt, with user/pass, isn't a WTF cause it only can allow physical security to be comprimised? I doubt many will agree with you.
Now...you may not have meant to imply that...but, the relationship (through comparison) was made at the end of the initial post...
It may not be a shocker...but, simply pointing out that the director of security didn't learn from the mistakes of idiots in business--and even improved on the stupidity--still makes it a WTF. Especially, after considering the cost comparison between a simple account management system to making [possibly] pointless the security measures done by an [assuming] external agency that had to be paid.
Admin
I can't believe you are serious.