• Mogri (unregistered)

    Alex Papadimoulis:
    It was the perfect addition to the name and passwords that manylaptop users had taped to the top of their screen. And just as secure.

    Nice... 

  • Lionstone (unregistered)

    Ouch.

     And this guy is DIRECTOR of security? *sigh*

  • Ghost Ware Wizard (cs)

    how secure! it meets all the regulatory guidelines for keeping them separate (even if you mean separate to be not physically kept the same as the laptop users tape their user name/password to the notbook and the dongle shows the rsa token in a "different' media).

    <captcha: oops />

  • Jon (unregistered)

    I call BS ... At my old company when we used the RSA ids that was the password... kind of lame today :-/

  • JamesKilton (cs) in reply to Jon

    Well a customer I'm working for has a per-user prefix along with the RSA dongle, so that's a bit more secure than this.

  • KattMan (cs) in reply to Lionstone

    Especially bad is the fact that these keys are not tied to the PC at home, but rather tied to the PC you are connecting to.  This gives you the capability to log into the remote network from any available PC.  So you do not have to keep the token key with the laptop as implied here, you could switch laptops, but that token key is assigned to you and you alone.

     Additionally, this really doesn't compltly break the security, because the token key is only part of the full passkey.  You need a secret number to prepend to this in most cases.  The idea is that the autogenerated number tied to your account is who you are, the secret prepended part is your unchanging passcode.  Anyone knowing your password still can't get in because your changing key portion would no longer be vaild.

    Now if they had that secret portion written on a sticky note and attached to the laptop, then good bye security.

  • Beavis (unregistered) in reply to KattMan
    KattMan:

    at secret portion written on a sticky note and attached to the laptop, then good bye security.

     

    Seeing what they did with the RSA key, I'd say this is a given!
     

  • Jeff Bell (unregistered)

    We have the same thing at my company.  To connect by VPN I have to enter a VPN specific password, as well as the 6 digit number from the gizmo.

    This is far more secure than password alone systems since it stops any man-in-the-middle or keylogger attacks.  I would tend to notice if my laptop were stolen and report it to IT.

    -Jeff

     

  • C (unregistered)

    Alex Papadimoulis:
    It was the perfect addition to the name and passwords that many laptop users had taped to the top of their screen. And just as secure.

    This might seem obsurd but I actually work for a huge company in the UK that has laptops logins and passwords taped on the machine itself. 

  • MikeDawg (unregistered)

    Its not as bad as it seems.  Most implementations of RSA keys usually include a separate PIN number, that the user must enter before or after the key displayed on the keyfob.  How much more secure is a key ring over a keyfob attached to a laptop power supply?

  • KattMan (cs) in reply to Beavis
    Anonymous:
    KattMan:

    at secret portion written on a sticky note and attached to the laptop, then good bye security.

     

    Seeing what they did with the RSA key, I'd say this is a given!
     

    I am sure it is, here is the process for one company that does this, count the usernames and passwords needed to access.

    1. log in to your pc (username, password)
    2. Log in to the provider website (username, password)
    3. Select the pc to connect to and click ok
    4. You get a log in screen (username, password)
    5. Provide the rsa key(Rsa key, secret PIN)
    6. Finally, since the remote PC was locked, login with your network credentials (username, password)

    Keep in mind the PIN and RSA is also like an userid/password pair, so this gives us 5 sets of passwords we have to know, only one of those sets is constantly changing and only two of those can be the same (local PC login and network login to the remote PC).  Now figure the odds that there will be a sticky note permanently cello taped to the bottom of the laptop.

    Granted if the RSA keyfob is not attached to the laptop you are still slightly secure becuase the unknown party wont be able to use it to select any of the remote PCs, but with this above solution, this is also given.

  • webzter (cs) in reply to Jon

    Anonymous:
    I call BS ... At my old company when we used the RSA ids that was the password... kind of lame today :-/

     We have to log into our laptops with our network username / password. We then have to log into our VPN using our network username and a password that's a 6-10 digit user-defined PIN plus the keyfob's current value.

     Personally, I put my fob on my key ring.... just as accessible (to me) as locking it to the laptop.

  • KattMan (cs)

    Oh and has anyone else realized that the picture does not match the instructions?

    Take a close look, the fob is on the bigger ring that the cord is passed through, but the smaller ring was actually attached to the cord between the end and the block.  The smaller ring was then attached to the larger ring. 

    Imagine the pinching of the powercord as people try to feed it through the small ring here.  And we were worried about batteries blowing up, what about shorts in power cords?

  • biziclop (cs)

    I always thought names of companies like this should not be kept secret.

    This is not your average wtf, in fact it's not even funny. This is not the internal problem of some stupid company that eventually loses its investors' money and end of story. This is about people being careless with our own money.This is felony.

     

  • Joshua Thomas (unregistered) in reply to Jeff Bell

    I agree. This is still an improvement over username/password:

    1) An attacker must physically have the secureid AND username AND pin to do an attack. So unless your username and pin are also taped to your monitor....

    2) If the secureid is stolen, it can be quickly and easily revoked.

     

    Of course, it would be far better to have it ON YOUR ACTUAL KEY CHAIN.  

  • KattMan (cs) in reply to biziclop
    biziclop:

    I always thought names of companies like this should not be kept secret.

    This is not your average wtf, in fact it's not even funny. This is not the internal problem of some stupid company that eventually loses its investors' money and end of story. This is about people being careless with our own money.This is felony.

     

    A few years ago I would agree because whistle blowers were protected.  These days, whistleblowers can and will be sued by the companies in question.  Our laws here in the USA have changed to protect the guilty in cases like this.  Any attempt to correct the problem by making it public knowledge leads to a breach of confidentiality and hence monetary liability.

    I say protect those that hand us this info by obfuscating the source, at least this way we at least hear about it and in some cases can figure the company out ourselves.

  • padren (unregistered)

    An even handier tip:  If you jam it really hard, you can store it nicely in the PCMCIA slot.  Where you store your gum and/or sticky-note pad can be a problem raised by this solution, however.

      

  • Darwinian Selection (unregistered) in reply to KattMan
    KattMan:

    Oh and has anyone else realized that the picture does not match the instructions?

    Take a close look, the fob is on the bigger ring that the cord is passed through, but the smaller ring was actually attached to the cord between the end and the block.  The smaller ring was then attached to the larger ring. 

    Imagine the pinching of the powercord as people try to feed it through the small ring here.  And we were worried about batteries blowing up, what about shorts in power cords?

    The weak (or stupid) get electrocuted and are subsequently found slumping over their laptops, twitching, enduring a (hopefully) long and excruciatingly painful death.

  • KNY (unregistered) in reply to biziclop
    biziclop:

    I always thought names of companies like this should not be kept secret.

    This is not your average wtf, in fact it's not even funny. This is not the internal problem of some stupid company that eventually loses its investors' money and end of story. This is about people being careless with our own money.This is felony.

     

     

    The way I see it, the anonymity isn't for Alex's protection or for the company's protection; it's for the protection of the submitter. Either you have to strip the submitter's initials/name/whatever, or make the company anonymous. Take your pick.

     
    Feel free to start a similar site and don't make the WTFs anonymous, if it means that much to you.
     

  • biziclop (cs) in reply to KattMan
    KattMan:
    biziclop:

    I always thought names of companies like this should not be kept secret.

    This is not your average wtf, in fact it's not even funny. This is not the internal problem of some stupid company that eventually loses its investors' money and end of story. This is about people being careless with our own money.This is felony.

     

    A few years ago I would agree because whistle blowers were protected.  These days, whistleblowers can and will be sued by the companies in question.  Our laws here in the USA have changed to protect the guilty in cases like this.  Any attempt to correct the problem by making it public knowledge leads to a breach of confidentiality and hence monetary liability.

    I say protect those that hand us this info by obfuscating the source, at least this way we at least hear about it and in some cases can figure the company out ourselves.

    If this is the case, I'm glad I don't live in the USA.

    Of course I didn't insist that the submitter should expose himself or herself to such legal threats. It's just my natural sense of justice that revolts against laws that protect the guilty and punish those who point out them being guilty.


  • noehch (cs)

    From the sounds of it...I'm just lucky...no RSA keys to worry about.
    My keychain's already full enough for my liking.

    Although I'm decent at math and memorizing numerics through patterns...

    Alex Papadimoulis:
    ...a constantly changing passcode...
    ...would severly screw with me.
    Yeah...I know I wouldn't have to memorize it...but, I'd still have to fight the established habit of entering the previous key.

    Besides...only been an intern for less-then 2 months.
    So, no remote access--work load doesn't really warrent a need for it, anyways.

  • Jon Williams (unregistered)
    Comment held for moderation.
  • KattMan (cs) in reply to noehch
    noehch:

    From the sounds of it...I'm just lucky...no RSA keys to worry about.
    And, although I'm decent at math and memorizing numerics through patterns...

    Alex Papadimoulis:
    ...a constantly changing passcode...
    ...would severly screw with me.

    Besides...only been an intern for less-then 2 months.
    So, no remote access--work load doesn't really warrent a need for it, anyways.

    The constatly changing passcode is what is on the keyfob, fully displayed, no need to remember it.  It changes once every 60 seconds.  If you are a slow typer, most of these have a count down bar to show how long before the next change happens so you can wait for it to change and have a full 60 seconds to type it in and submit.

  • noehch (cs) in reply to KattMan

    KattMan:
    noehch:

    From the sounds of it...I'm just lucky...no RSA keys to worry about.
    And, although I'm decent at math and memorizing numerics through patterns...

    Alex Papadimoulis:
    ...a constantly changing passcode...
    ...would severly screw with me.

    Besides...only been an intern for less-then 2 months.
    So, no remote access--work load doesn't really warrent a need for it, anyways.

    The constatly changing passcode is what is on the keyfob, fully displayed, no need to remember it.  It changes once every 60 seconds.  If you are a slow typer, most of these have a count down bar to show how long before the next change happens so you can wait for it to change and have a full 60 seconds to type it in and submit.


    ...ok...nvm, then...
    (like I said...never had to deal with them)

    But, still (to point out an edit I got into my original post)...
    My keychain already has enough contents for my liking.

  • Adam B. (unregistered)

    Quote: "...it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring."

    I'd say it's very inconvenient to carry a laptop on your key ring!

  • nwbrown (cs)

    I can think of plenty of times where the entire point of a particular security measure was completely defeated by the IT guys.  For instance once I called to get a password reset, the IT rep told me the password would be reset and sent to my voice mail so I could call up and retrieve it.  I tell them that I didn't currently have access to my voice mail (long story I won't get into here) and asked if they could just tell me over the phone.  Their response "No, we can't do that as it would be a security risk".  I ask how that would be a security risk and they reply "Well duh!  Someone could be eavesdropping on this call".  I pointed out that if someone were eavesdropping on this call, they could just as easily be eavesdropping on the call I make to my voice mail.  They think for a few seconds and then suggest they could email it to my manager and then I could call her for it.  I point out there is still the same problem, someone could eavesdrop on my call to my manager.  They think about it a bit more and then suggest that they could send it to my manager's voice mail, and then she could call her voice mail to get it, and then call me and tell it to me.  I point out that is even worse, now there are two conversations (the one between my manager and her voice mail and the one between my manager and me) on which someone could eavesdrop.  They respond "Well what do you want us to do?"  I sighed and told then to send it to my email, I'd get it the next day I'm in the office.

  • blaaaaaaaaaaaaa (unregistered)

    Somehow carrying a laptop, a securID, and a power brick is less convenient than carrying a laptop and a securID?

  • Darwinian Selection (unregistered) in reply to nwbrown

    I'm waiting for some twit to get the idea of taping the rsa tag to the pc, right next to the postit with the login and passwords.

  • shadowman (cs) in reply to Adam B.
    Anonymous:

    Quote: "...it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring."

    I'd say it's very inconvenient to carry a laptop on your key ring!

    Yeah, the laptop hanging off my keyring always manages to get in the way while I'm driving.

  • Darwinian Selection (unregistered) in reply to blaaaaaaaaaaaaa

    Anonymous:
    Somehow carrying a laptop, a securID, and a power brick is less convenient than carrying a laptop and a securID?

    Perchance, did you mean "less convenient than carrying a laptop and power brick"?

  • VeXocide (cs)

    Oh yes, it is so much easier to carry a power supply and a RSA dongle on your keycord then just the dongle, all in all, a brilliant solution.

     

  • Stephen (unregistered) in reply to Darwinian Selection
    Anonymous:
    KattMan:

    Oh and has anyone else realized that the picture does not match the instructions?

    Take a close look, the fob is on the bigger ring that the cord is passed through, but the smaller ring was actually attached to the cord between the end and the block.  The smaller ring was then attached to the larger ring. 

    Imagine the pinching of the powercord as people try to feed it through the small ring here.  And we were worried about batteries blowing up, what about shorts in power cords?

    The weak (or stupid) get electrocuted and are subsequently found slumping over their laptops, twitching, enduring a (hopefully) long and excruciatingly painful death.

    Perhaps winning a Darwin Award in the process?

  • Word-smith (unregistered) in reply to Mogri

    "Oblivity"?

  • Word-smith (unregistered) in reply to Stephen
    Comment held for moderation.
  • JamesKilton (cs) in reply to Word-smith

    Anonymous:
    "Oblivity"?

    Aye, good word.
     

  • Calli Arcale (unregistered)

    Two-factor authentication is a Good Idea.

    Taping your password to your laptop is a Bad Idea.

    Subsequently defeating the two-factor authentication, while simultaneously compromising the safe operation of your power cord, is Moronic.

     

    That said, it frustrates me whenever I see somebody do things like this.  We all like to moan about IT, but IT deserves a chance to moan at us users too, because of things like this.  There is no system so secure that some impatient user can't compromise it.  Even if you have mandatory security training.  That just goes in one ear and out the other with some people.  Encrypted hard drives that have to be unlocked before you can even think about logging in, SecureIDs with secret unchanging PINs, system passwords, domain passwords, VPN passwords, secure VPN communications....  It can all be brought down by one careless user.

    Which is exactly why the old-fashioned hacking attacks (exploiting social engineering) remain the most effective.  You don't have to break into the system; you just need to find the laziest users.
     

  • El Quberto (unregistered)

    Laptop manufacturer should wise up and create intregrated RSA keyfob slots, saving us from this ugly looking hack.


    / captcha "creative"

  • John Smallberries (cs) in reply to JamesKilton
    JamesKilton:

    Anonymous:
    "Oblivity"?

    Aye, good word.
     


    Perfectly cromulent.
    Oblivity
  • Mike (unregistered)

    A company I know of exposes a web page on their intranet (to all employees) that is the output of a web cam pointed towards a few SecurIDs that a handful of client support personnel need.  I thought it might make sense to order up a few of the fobs and give them to the right people, so they can use them from home in the case beeper goes off, but this solution is certainly more convenient!

  • SheridanCat (cs)

    I'm missing the WTF here.  The RSA SecureID thingie is useless without the username/password and vice versa.  Anyone attaching their username/password to their PC should be talked to sternly anyway.  Since the SecurID will often be nearby anyway - like attached to the keyring that is in the laptop bag that was just stolen - it really doesn't matter that a thief has access to it.  I flash my around all the time since it's attached to my keys.  There's nothing insecure about this. 

     Though I do think it's dumb to attach it to your power cord since you're going to need it on the FRONT of your computer.
     

  • OneFactor (cs) in reply to nwbrown

    nwbrown:
    I can think of plenty of times where the entire point of a particular security measure was completely defeated by the IT guys.  For instance once I called to get a password reset, the IT rep told me the password would be reset and sent to my voice mail so I could call up and retrieve it.  I tell them that I didn't currently have access to my voice mail (long story I won't get into here) and asked if they could just tell me over the phone.  Their response "No, we can't do that as it would be a security risk".  I ask how that would be a security risk and they reply "Well duh!  Someone could be eavesdropping on this call".  I pointed out that if someone were eavesdropping on this call, they could just as easily be eavesdropping on the call I make to my voice mail.  They think for a few seconds and then suggest they could email it to my manager and then I could call her for it.  I point out there is still the same problem, someone could eavesdrop on my call to my manager.  They think about it a bit more and then suggest that they could send it to my manager's voice mail, and then she could call her voice mail to get it, and then call me and tell it to me.  I point out that is even worse, now there are two conversations (the one between my manager and her voice mail and the one between my manager and me) on which someone could eavesdrop.  They respond "Well what do you want us to do?"  I sighed and told then to send it to my email, I'd get it the next day I'm in the office.

    Reminds me of my university days before I knew anything about encryption. We were told by the unix admins to use SSH rather than RSH to connect from one machine to another because SSH was "more secure" and that RSH would no longer be supported in about a month. So we switched but it bothered me that SSH worked "just like" RSH. I didnt know much but I did know that the SSH scheme ought to involve generating keys and using passPHRASES which do NOT get sent over the network.  But we just logged in, entered our username and passWORD after connecting just like we did before.

    So I read the man pages and learned how to generate public-private keys and get SSH to use these keys (that was a fun learning experience). What puzzled me was why I could remote log in with SSH before setting up my keys. But then I learned that SSH could be configured by admins to default to RSH protocol in the absence of any keys though the man pages warned that in this case all the security benefits of SSH would be lost. I asked the admins if they were planning to eventually disable the "default to RSH in the absence of keys" thus forcing users to generate keys and benefit from the extra security. After all, if they are going to the disable RSH command due to security reasons, what sense is there in having SSH default to the insecure RSH protocol in the absence of keys? They told me that it would be too much trouble to get everyone to generate keys and train people out of using passwords. They also said that they didnt generate keys or anything. They just used SSH instead of RSH and typed passwords in just like usual.

    So the net result was that people experienced a slight inconvenience (typing ssh instead of rsh), received no actual benefit or protection, but believed themselves to be secure. And to think that the wikipedians suggest that the http://en.wikipedia.org/wiki/Security_theater is a recent phenomenon.

  • noehch (cs) in reply to SheridanCat
    SheridanCat:

    I'm missing the WTF here.  The RSA SecureID thingie is useless without the username/password and vice versa.  Anyone attaching their username/password to their PC should be talked to sternly anyway.  Since the SecurID will often be nearby anyway - like attached to the keyring that is in the laptop bag that was just stolen - it really doesn't matter that a thief has access to it.  I flash my around all the time since it's attached to my keys.  There's nothing insecure about this. 

     Though I do think it's dumb to attach it to your power cord since you're going to need it on the FRONT of your computer.
     


    Ok...so the "OMG Factor" (sorry...couldn't think of anything else to call it) isn't exactly through the rough--like most DWTF's are.
    But, for specifics...it's the fact that the director--the person you'd think would be almost obsessive-compulsive over security measures--gave the suggestion.

    With the added bonus of the fire risk as the cable becomes more-and-more stressed.

  • noehch (cs) in reply to noehch

    :)
    sry

    *...through the roof...

  • doc0tis (unregistered)
    Alex Papadimoulis:

    Thankfully, the IT Security director at MK's company (a fairly large banking institution) knows that the ability to conveniently work remotely is much more important than working securely. Shortly after some mean ole' regulatory agency mandated that remote access is secured with a VPN that requires typing in a constantly changing passcode from a physical token, the director had just the solution for everyone ...

    NOT A WTF!!! The objective of this was to create a more secure environment through use of a VPN. This solution would effectively encrypt data so that crackers would have a difficult time decrypting this traffic remotely. This solution would NOT secure the laptop against cracking if the physical security was compromised. But if the physical security of your laptop was compromised, well, then most companies would be in a bad place anyhow. Not many have good enough security to keep a determined cracker away from their data.

    --doc0tis
  • PseudoNoise (unregistered) in reply to Mike
    Anonymous:

    A company I know of exposes a web page on their intranet (to all employees) that is the output of a web cam pointed towards a few SecurIDs that a handful of client support personnel need.  I thought it might make sense to order up a few of the fobs and give them to the right people, so they can use them from home in the case beeper goes off, but this solution is certainly more convenient!



    That is so awesome.  You must send in a screencap.  (don't worry about the security issue, just wait 60 seconds before sending it).  =)

  • some schlepp (unregistered) in reply to PseudoNoise

    I'm disappointed that nobody mentioned the obvious solution:

    Place the postit (with login and password), and rsa key face down on a wooden table, next to a sign saying "turn over for access", take a picture, print, and tape to top of monitor!

  • Anonononymous (cs) in reply to shadowman
    shadowman:
    Anonymous:

    Quote: "...it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring."

    I'd say it's very inconvenient to carry a laptop on your key ring!

    Yeah, the laptop hanging off my keyring always manages to get in the way while I'm driving.



    Is that a laptop in your pocket, or are you just happy to see me?
  • Reed (unregistered) in reply to OneFactor

     

    Hey, you don't even have to loose the laptop, just the power brick. 

     I bet that guy keeps all his private keys on that USB storage device too!

     

    OneFactor:

    But then I learned that SSH could be configured by admins to default to RSH protocol in the absence of any keys though the man pages warned that in this case all the security benefits of SSH would be lost. I asked the admins if they were planning to eventually disable the "default to RSH in the absence of keys" thus forcing users to generate keys and benefit from the extra security.

     

    At least with SSH passwords aren't sent over the network in pure plain text, which prevents casual network sniffing etc.

     

     

  • noehch (cs) in reply to doc0tis
    Anonymous:
    Alex Papadimoulis:

    Thankfully, the IT Security director at MK's company (a fairly large banking institution) knows that the ability to conveniently work remotely is much more important than working securely. Shortly after some mean ole' regulatory agency mandated that remote access is secured with a VPN that requires typing in a constantly changing passcode from a physical token, the director had just the solution for everyone ...

    NOT A WTF!!! The objective of this was to create a more secure environment through use of a VPN. This solution would effectively encrypt data so that crackers would have a difficult time decrypting this traffic remotely. This solution would NOT secure the laptop against cracking if the physical security was compromised. But if the physical security of your laptop was compromised, well, then most companies would be in a bad place anyhow. Not many have good enough security to keep a determined cracker away from their data.

    --doc0tis

    Okay...so, what you're implying is that a PostIt, with user/pass, isn't a WTF cause it only can allow physical security to be comprimised? I doubt many will agree with you.

    Now...you may not have meant to imply that...but, the relationship (through comparison) was made at the end of the initial post...

    Alex Papadimoulis:
    It was the perfect addition to the name and passwords that manylaptop users had taped to the top of their screen. And just as secure.

    It may not be a shocker...but, simply pointing out that the director of security didn't learn from the mistakes of idiots in business--and even improved on the stupidity--still makes it a WTF. Especially, after considering the cost comparison between a simple account management system to making [possibly] pointless the security measures done by an [assuming] external agency that had to be paid.

  • Eduardo Habkost (unregistered) in reply to OneFactor
    OneFactor:

    So the net result was that people experienced a slight inconvenience (typing ssh instead of rsh), received no actual benefit or protection [...]

     

    I can't believe you are serious.

Leave a comment on “Security by Oblivity”

Log In or post as a guest

Replying to comment #:

« Return to Article