Encrypt All Passwords
-
We get the mandate to protect our client data at all costs. We're going into full lockdown mode. That means everything needs to be encrypted. No more clear text passwords in config files or code. But the config files are only ever used on secure servers in secure facilities by OUR operators! No matter, do it!
The guy responsible adds en/decryption handling to the code, puts the encrypted passwords into the config files, and checks it all in.
The audit is done and we pass.
Afterward, I had the need to look in a config file and find something like this:
SomeConfig.cfg:
#USER_PWD=OrigPasswordHere
USER_PWD=IOQWHFPQWED*(&#E&YDIH(@)*(U@
I don't know which is the bigger wtf: what the guy did in the config files, or that we passed the audit with the files like that.
-
@snoofle said:
I
don'tknow which is the bigger wtf:what the guy did in the config files, orthat we passed the audit with the files like that.That should answer your question. Doing that in the config file is a problem yes, but not catching it in an audit where they are supposed to look for things like that is a bigger issue.
-
@snoofle said:
We get the mandate to protect our client data at all costs. We're going into full lockdown mode. That means everything needs to be encrypted. No more clear text passwords in config files or code. But the config files are only ever used on secure servers in secure facilities by OUR operators! No matter, do it!
The guy responsible adds en/decryption handling to the code, puts the encrypted passwords into the config files, and checks it all in.
The audit is done and we pass.
Afterward, I had the need to look in a config file and find something like this:
SomeConfig.cfg:
#USER_PWD=OrigPasswordHere
USER_PWD=IOQWHFPQWED*(&#E&YDIH(@)*(U@
I don't know which is the bigger wtf: what the guy did in the config files, or that we passed the audit with the files like that.
Isn't it obvious? Your employees and the security specialists know that nobody reads the f**king comments.
-
@snoofle said:
...
#USER_PWD=OrigPasswordHere
The original password is actually encrypted with ROT26 encryption. Not a problem at all.
-
@Rick said:
@snoofle said:
...
#USER_PWD=OrigPasswordHere
The original password is actually encrypted with ROT26 encryption. Not a problem at all.
That joke never gets
funnyold.
-
@blakeyrat said:
@Rick said:
The original password is actually encrypted with ROT26 encryption. Not a problem at all.
That joke never gets
funnyold.I've actually seen something like that in the real world. A few decades ago, someone thought it would be a good idea to password-encrypt a couple of important files by XORing them with a repeated string. Unless you knew the key, the file would appear as gibberish. And as an added bonus, you could run the same program with the same key on the encrypted file and decrypt it right back to the original.
Unfortunately, the machine in question used EBCDIC, and padded out short records with spaces. So as the key was repeated over these long strings of plaintext x'40' characters, it encrypted to the key with its alphabetic case shifted. If the key was "UMBRELLA", every line of the file would end with "umbrellaumbrellaumbrella" out to a total of 80 characters.
I had to quick slap on something that would ignore trailing spaces when en/decrypting.
-
It's clearly safe. Even if someone obtained the file, I don't see why "OrigPasswordHere" helps them with anything.
That, or your user chose a password so stupid you didn't feel bad posting it on an online forum.
-
@locallunatic said:
I've never had a security auditor find anything useful. A few years ago, we had an audit and I got a hard time about one of the applications I support because we weren't getting rid of user records in the database, even though we used Active Directory authentication and the Active Directory account was removed. The auditor couldn't grasp the rationale that we needed the records to make some reports make sense and there was no security risk because the user couldn't log in. He asked us to prove that the user couldn't log in.@snoofle said:
I
don'tknow which is the bigger wtf:what the guy did in the config files, orthat we passed the audit with the files like that.That should answer your question. Doing that in the config file is a problem yes, but not catching it in an audit where they are supposed to look for things like that is a bigger issue.
At the same time, we have another application that I don't support and the audit completely missed the fact that this application has a table called "Users" that has clear text passwords in it. He also missed that the application has no support for a user changing their own password and that the maximum password length is five characters.
-
@snoofle said:
At the same time, we have another application that I don't support and the audit completely missed the fact that this application has a table called "Users" that has clear text passwords in it. He also missed that the application has no support for a user changing their own password and that the maximum password length is five characters.
That makes sense. Short passwords are easier to remember and if a user does forget,the admin can read it for him.
-
@renewest said:
@snoofle said:
At the same time, we have another application that I don't support and the audit completely missed the fact that this application has a table called "Users" that has clear text passwords in it. He also missed that the application has no support for a user changing their own password and that the maximum password length is five characters.
That makes sense. Short passwords are easier to remember and if a user does forget,the admin can read it for him.
Can't tell if trolling. I think this is kind of a Poe's Law sort of thing...
-
Irony is the word.
-
Security audit existing for purpose of making people feel rested and relaxed. Nothing happen.
Auditer come. Take a look at everything, make report and send it. Mere formality it is.
Auditer firm want money for audit. So if auditor make ultra strict recomendation for client, client will go and hire new firm. This is why auditer only come with recomendation and never force them on their client.
-
@Nagesh said:
Security audit existing for purpose of making people feel rested and relaxed. Nothing happen.
Auditer come. Take a look at everything, make report and send it. Mere formality it is.
Auditer firm want money for audit. So if auditor make ultra strict recomendation for client, client will go and hire new firm. This is why auditer only come with recomendation and never force them on their client.
I really hope you are joking, or trolling or whatever you do in that country because if not.... I don't want to ever work there, ever....
-
@serguey123 said:
@Nagesh said:
Seriously, people are less cynical in "Corruptsylvania" than this? I'd consider this fairly mild, even for a Dilbert strip. There's a major conflict of interest with a company hiring its own auditor.Security audit existing for purpose of making people feel rested and relaxed. Nothing happen.
I really hope you are joking, or trolling or whatever you do in that country because if not.... I don't want to ever work there, ever....Auditer come. Take a look at everything, make report and send it. Mere formality it is.
Auditer firm want money for audit. So if auditor make ultra strict recomendation for client, client will go and hire new firm. This is why auditer only come with recomendation and never force them on their client.
-
@boomzilla said:
@serguey123 said:
@Nagesh said:
Seriously, people are less cynical in "Corruptsylvania" than this? I'd consider this fairly mild, even for a Dilbert strip. There's a major conflict of interest with a company hiring its own auditor.Security audit existing for purpose of making people feel rested and relaxed. Nothing happen.
I really hope you are joking, or trolling or whatever you do in that country because if not.... I don't want to ever work there, ever....Auditer come. Take a look at everything, make report and send it. Mere formality it is.
Auditer firm want money for audit. So if auditor make ultra strict recomendation for client, client will go and hire new firm. This is why auditer only come with recomendation and never force them on their client.
Specially in Corruptsylvania.... you can go to jail for this and trust me you don't want to go to a Corruptsylvanian jail
-
@serguey123 said:
Specially in Corruptsylvania.... you can go to jail for this and trust me you don't want to go to a Corruptsylvanian jail
OK, so I guess that's another hint, since Corruptsylvania is a rather misleading name if this sort of minor corruption gets you put in jail.
-
@serguey123 said:
Auditer firm want money for audit. So if auditor make ultra strict recomendation for client, client will go and hire new firm. This is why auditer only come with recomendation and never force them on their client.
Does anything else see a correlation between this discussion and today's announcement of the results of a study? http://www.npr.org/blogs/thetwo-way/2011/05/18/136429556/study-finds-homosexuality-celibacy-did-not-cause-catholic-sex-abuse-crisis?ft=1&f=1001
-
@serguey123 said:
@Nagesh said:
Security audit existing for purpose of making people feel rested and relaxed. Nothing happen.
Auditer come. Take a look at everything, make report and send it. Mere formality it is.
Auditer firm want money for audit. So if auditor make ultra strict recomendation for client, client will go and hire new firm. This is why auditer only come with recomendation and never force them on their client.
I really hope you are joking, or trolling or whatever you do in that country because if not.... I don't want to ever work there, ever....
Sorry, I am serious. I am not troling. I know this for fact. Lot of coperative banks in India lost all their funds this way and their acount holder had to comit suiciddes. Same case with farmers cops too.
Bad management of funds caused this to take place.
-
@boomzilla said:
@serguey123 said:
Specially in Corruptsylvania.... you can go to jail for this and trust me you don't want to go to a Corruptsylvanian jail
OK, so I guess that's another hint, since Corruptsylvania is a rather misleading name if this sort of minor corruption gets you put in jail.Justice is subjective, not factual.
You might go to jail, you might not, the problem is that if you go.... everybody goes sooo....
Moving on, Rick learn to fucking quote.
Nagesh I'm really sorry, btw what is a farm cop? a cop that polices a farm?
-
@serguey123 said:
Nagesh I'm really sorry, btw what is a farm cop? a cop that polices a farm?
I think he was missing an 'o' when he mean coop and cooperative. Which are pronounced more like: co-op, but not always written that way.
