Security... not quite getting it



  • So my mom started a new job at a call center related to social security, medicare, etc - not a government agency a private support company.  Old people call in and get assistance managing their stuff.  

     They're very big on security - after all their various applications have access to some sensative data.  So they require complex passwords (3 part - numeric, alpha, special at minimum), you get yelled at if you walk away from your workstation without first remembering to lock it, you're not supposed to wear your badge anywhere off work grounds so you don't accidentally loose it and some stranger uses your photo ID badge to impersonate you, so on and so forth.

    After all of these instructions on how to be secure, they tell you to store your passwords "in your email" (aka email yourslf, leaving a message with your passwords on their exchange server).

     



  •  Wouldn't you need the password to the email account anyway to get the password list?



  •  or physical access to their exchange server, which should only contain non-sensative data, but due to the WTF here contains passwords to the systems that contain sensative data.  

     

    Never forget physical attacks on infrastructure.  That is assuming you couldn't social engineer or dictionary attack some luser on this system's password.



  • @morbiuswilters said:

     Wouldn't you need the password to the email account anyway to get the password list?

     

     

    By the same token, you could just put it on a post-it note on your monitor, because you have to have a security badge to get into the building.

     

    EDIT:  Oh, you meant you need your password to get your password, thought you were saying it was safe because it was protected by a password.  Kind of like "Send me an email to tell me the email system is down"

     

     



  •   i was thinking the same as you taylonr- i'm assuming they're just supposed to remember their active diretory login, or write it down.



  • @Kazan said:

    or physical access to their exchange server, which should only contain non-sensative data,
     

    Isn't it a kind of common assumption that corporate email does contain sensitive information?



  •  @vt_mruhlin said:

    @Kazan said:

    or physical access to their exchange server, which should only contain non-sensative data,
     

    Isn't it a kind of common assumption that corporate email does contain sensitive information?

    i don't include what most companies i've worked for consider sensative in my definition of sensative - ex: how they do price estimates? whatever. 

     

    by sensative I mean SSNs.



  • @Kazan said:

     or physical access to their exchange server, which should only contain non-sensative data, but due to the WTF here contains passwords to the systems that contain sensative data.  

     

    Never forget physical attacks on infrastructure.  That is assuming you couldn't social engineer or dictionary attack some luser on this system's password.

    If someone physically compromises the mail server they have more than enough control to do bad things.  You're the one who is forgetting that physical attacks beat pretty much any kind of password system. 



  • @taylonr said:

    By the same token, you could just put it on a post-it note on your monitor, because you have to have a security badge to get into the building.

    Not quite, but for the most part, yes.  If someone has physical access to your workstation then assuming your passwords are safe is pretty ridiculous.  The difference is that a post-it note requires no effort to copy so it's not quite the same comparison.  However, if someone has physical access to the mail server where they can obtain your passwords off disk then they can do all sorts of other nasty stuff. 

     

    @taylonr said:

    EDIT:  Oh, you meant you need your password to get your password, thought you were saying it was safe because it was protected by a password.  Kind of like "Send me an email to tell me the email system is down"

    That occurred to me as well, but I assumed there were different logins for AD.



  • If your mail server encrypted its datastore in such a way that it can only be decrypted using your password, this wouldn't such a huge WTF.

    However, most mail servers use unencrypted storage, meaning you need only have read access to whatever files the data is stored in to read the stored passwords.

     

    It's a bit like keeping all your keys in a toolshed in the back yard.  Sure, you should be able to keep it relatively secure, but if someone *does* get in there, you're screwed.



  • @merreborn said:

    If your mail server encrypted its datastore in such a way that it can only be decrypted using your password, this wouldn't such a huge WTF.

    However, most mail servers use unencrypted storage, meaning you need only have read access to whatever files the data is stored in to read the stored passwords.

     

    It's a bit like keeping all your keys in a toolshed in the back yard.  Sure, you should be able to keep it relatively secure, but if someone *does* get in there, you're screwed.

    If someone gains control of your mail server they can do plenty of nasty things even if the passwords are not saved in the mailstore.  The fact is, it's really not that big of a difference if the passwords are stored on the mail server or not.  There are vectors of attack that are far more likely to be exploited.  Worrying about passwords in the mailstore is short-sighted and it detracts from the security measures that should be followed.



  • Security - along the lines of giving every passenger on a commercial flight a gun/knife so no terrorist would dare pull anything...

    Remove all passwords from all systems, but rig every computer on the planet to send 10,000 volts into your hands if the app comes back not-authorized.

    I'm still working on what happens if you are authorized but just type it incorrectly - maybe increasing jolts - could be laughs though!

    User: TDWTF Pwd: WTg <jolt>
    User: TDWTF Pwd: WtF <ZZZZZZaaaaaaapppp!!!>
    User: TDWTF Pwd: wtF <miniature nuclear blast>
    


  •  It's probably not the best idea, for the simple reason that if someone did forget to lock his workstation, someone else could pop open Outlook and probaby harvest any passwords within a matter of seconds.  In terms of "external" security though, it's really not the same thing as sending passwords outside the company over SMTP through untrusted servers and relays.  It's a bit like having your credit cards in your wallet - there's a reasonable expectation that other people won't be rooting around in it, unless you've already done something stupid like lose it.



  • @Aaron said:

    It's probably not the best idea, for the simple reason that if someone did forget to lock his workstation, someone else could pop open Outlook and probaby harvest any passwords within a matter of seconds.  In terms of "external" security though, it's really not the same thing as sending passwords outside the company over SMTP through untrusted servers and relays.  It's a bit like having your credit cards in your wallet - there's a reasonable expectation that other people won't be rooting around in it, unless you've already done something stupid like lose it.

    Excellent analogy.  Also, anyone who can pop open your outlook can just about as easily install a keylogger and just get the passwords that way.  The only better solution would be to have every user memorize every password, but that's going to be difficult to enforce.  What's more, it's still defeated by physical access to the machine (or the person, as well).  In general your mail server is going to be more secure than the workstations your users are using to type the passwords every day or even their brains.

     

    To me it makes a lot more sense to ease the use of strong, per-service passwords by encouraging a "master list".  Asking the users to store it on the corporate mail server also makes it a bit easier to audit access and centrally lock-down all passwords if you suspect compromise of the system.  It's certainly a lot better than having each user come up with their own method of saving the passwords, where you'll end up with everything from a text file on the desktop to post-it notes.  It's also a lot better than having the user choose their dog's name as the password for every single service they access.


  • Garbage Person

     Yeah, really. If they can physically attack the mail server... The database server is probably about 2 feet left, right, up, or down from there.



  • @Weng said:

     Yeah, really. If they can physically attack the mail server... The database server is probably about 2 feet left, right, up, or down from there.

     

     

    typically.. but not in the case of their apps



  • @Kazan said:

    typically.. but not in the case of their apps

    Still, what does it matter?  If someone can compromise the mail server they can easily gain access to other services.



  • @Weng said:

     Yeah, really. If they can physically attack the mail server... The database server is probably about 2 feet left, right, up, or down from there.

    ... behind the firewall, the Concrete Wall, the hell hounds and the cattleprod-toting BOFHs.

    I've already seen environments where the NT servers are physically separated from the "real stuff": the mainframes and UNIX servers. The Win2003 servers are not even in the same subnet, so going from the "secure" Exchange server to the DB2 box wouldn't be possible, as the NT servers are blocked out from the UNIX subnet. Now that's security!



  • My organization's pretty dumb too, they have a default password which everyone is "expected" to change. You can pretty much take a stab on how many people actually changes them.



  • @catatoniaunlimited said:

    My organization's pretty dumb too, they have a default password which everyone is "expected" to change. You can pretty much take a stab on how many people actually changes them.

    About 30%? I'd further guess that about 10% of users have a non-trivial password.


Log in to reply