As seen on ServerFault.com



  • Some of you may have heard about this on Twitter, but here's the link


    and a precis:


    "A security auditor for our servers has demanded the following within two weeks:




    •A list of current usernames and plain-text passwords for all user accounts on all servers


    •A list of all password changes for the past six months, again in plain-text


    •A list of "every file added to the server from remote devices" in the past six months


    •The public and private keys of any SSH keys


    •An email sent to him every time a user changes their password, containing the plain text password"




    The user posted the requests on ServerFault to get a reality check that this is the sort of information
    he should definitely not be providing, if it were even possible, even to an auditor.


    There are updates on the ongoing email discussion between samarudge and the idiot auditor.



  • I wish I had a list of all 100 of the auditor's current clientelle and if I find anyone who I had previously done business with, cease business and change my credit card number immediately.



  • I wonder if anybody has had their identity stolen because they did business with someone who followed that auditor's security practices.

    The auditor is either a total idiot or is a criminal trying to get complete access to the company's systems. I hope they find out which one.


  • Fake News

    Is this auditor based in China?



  • @lolwhat said:

    Is this auditor based in China?
    No, Nigeria... And after you give him your server IPs, user ids, and passwords, he'll transfer ten million dollars to your account.


  • Discourse touched me in a no-no place

    @Quango said:

    •The public and private keys of any SSH keys
    Seems he missed asking for the passwords for the private keys...



  • Maybe instead of that "questions closed on other forums" forum that nobody uses we should have a "seen on StackOverflow network sites" forum.



  • Doesn't sound like an idiot or a criminal to me, just a good auditor.

    1. Please turn over all your sensitive information to me, some outside idiot.
    2. (Customer complies)
    3. Congratulations, you have failed your audit. You are vulnerable to social engineering. Please cut the check for an even $75k.


  • @smxlong said:

    Doesn't sound like an idiot or a criminal to me, just a good auditor.

    1. Please turn over all your sensitive information to me, some outside idiot.
    2. (Customer complies)
    3. Congratulations, you have failed your audit. You are vulnerable to social engineering. Please cut the check for an even $75k.
     

    So he'll keep that facade up to the point the client cancels their account with them and then reports them to the PCI SSC? Yeah, he's a great auditor.



  • @RHuckster said:

    @smxlong said:

    Doesn't sound like an idiot or a criminal to me, just a good auditor.

    1. Please turn over all your sensitive information to me, some outside idiot.
    2. (Customer complies)
    3. Congratulations, you have failed your audit. You are vulnerable to social engineering. Please cut the check for an even $75k.
     

    So he'll keep that facade up to the point the client cancels their account with them and then reports them to the PCI SSC? Yeah, he's a great auditor.

    Reported for what, trying to trick them into committing a violation and them falling for it? That sounds like the definition of an auditor's job. Honestly not familiar with PCI, except that it's widely required, but I'd be surprised if an auditor was forbidden from such tactics. What's the point of system security when any idiot with an air of authority can just ask for shit and have it handed over? It'd be great if every company was put to such a test. I bet most of them would fail.



  • @smxlong said:

    @RHuckster said:

    @smxlong said:

    Doesn't sound like an idiot or a criminal to me, just a good auditor.

    1. Please turn over all your sensitive information to me, some outside idiot.
    2. (Customer complies)
    3. Congratulations, you have failed your audit. You are vulnerable to social engineering. Please cut the check for an even $75k.
     

    So he'll keep that facade up to the point the client cancels their account with them and then reports them to the PCI SSC? Yeah, he's a great auditor.

    Reported for what, trying to trick them into committing a violation and them falling for it? That sounds like the definition of an auditor's job. Honestly not familiar with PCI, except that it's widely required, but I'd be surprised if an auditor was forbidden from such tactics. What's the point of system security when any idiot with an air of authority can just ask for shit and have it handed over? It'd be great if every company was put to such a test. I bet most of them would fail.

    Problem is, when they do fail, you'll have a dangerous individual with a lot of power in his hands. This can backfire in so many ways that if you wrote an article defending your point of view you'd be eligible for an economy IgNobel.



  •  It seems to me that this auditor is not an idiot - they are a conman. I'd be contacting the police as well as my legal department.



  • @smxlong said:

    @RHuckster said:

    @smxlong said:

    Doesn't sound like an idiot or a criminal to me, just a good auditor.

    1. Please turn over all your sensitive information to me, some outside idiot.
    2. (Customer complies)
    3. Congratulations, you have failed your audit. You are vulnerable to social engineering. Please cut the check for an even $75k.
     

    So he'll keep that facade up to the point the client cancels their account with them and then reports them to the PCI SSC? Yeah, he's a great auditor.

    Reported for what, trying to trick them into committing a violation and them falling for it? That sounds like the definition of an auditor's job. Honestly not familiar with PCI, except that it's widely required, but I'd be surprised if an auditor was forbidden from such tactics. What's the point of system security when any idiot with an air of authority can just ask for shit and have it handed over? It'd be great if every company was put to such a test. I bet most of them would fail.

     

    Either you didn't read the whole thing or you're trolling.

    First of all, he didn't fall for it. He repeatedly told them that was impossible to do under the very PCI requirements this auditor was auditing. As soon as your auditing client says, "I don't have plain-text passwords because that's against PCI guidelines" the auditor should tick a box saying the client passed the first test. Continuing your request for this kind of data after the client repeatedly refuses only gives your client the impression that you're an idiot or a conman.

    Second of all, he not only persisted his request for this data after repeated assertions by the client that it's impossible but displayed ignorance in other aspects including believing PCI is software and thinking 10 years in cyber-security is some kind of God-like tenure that nobody at serverfault.com could possibly have attained.

    If, despite all evidence to the contrary, the auditor was truly trying to trick the guy into violating PCI regulations, then he took the ruse way too far and is, therefore, an idiot.



  •  I wonder if the OP ever verified whether that was a legitimate security auditor for the company in question.  My gut reaction is that it's a conman posing as a security auditor.  Then again, maybe I'm overestimating the intelligence of most security auditors.  I have worked with plenty of individuals in IT who cannot be convinced they are wrong, no matter how much evidence there is to the contrary, and no matter how many people point it out to them.



  • The auditor's company was originally hired by the poster's company to do the PCI security audit. PCI compliance is required if you want to store and process card details and payments, for example.



    So essentially the auditor is an idiot who does not understand security. He thinks he does and is trying to browbeat the poster to providing what he wants.


    Fortunately

    (a) the poster's company has hired a different audit company

    (b) the poster has reported the original one to PCI SCC (the Security Standards Council) - which means the auditor will be disqualified. Quite likely the audit company would lose it's PCI approved status as well.



  • @bighusker said:

     I wonder if the OP ever verified whether that was a legitimate security auditor for the company in question.

    Lern2read.

    @OP said:

    Unfortunately I don't think he's just testing us, these things are in the companies official security policy now.



  • Oh, I love this [url=http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants/293284#293284]comment[/url]:

    @Chopper3 said:

    I'm also a very nasty piece of work who will happily curb-stamp this guy for you if you like just for the fun of it, let me know if you'd like help ok.



  •  When the OP asks if he should send fake data....  it would be fun to send the auditor account data which is specifically rigged with some tracking.



  • I think the rest of you hit on this, but the second response down says all that needs to be said.

    [quote user="Mark Motherfucking Henderson"]If it were possible to provide these requirements, you would instantly fail every single audit worth having.[/quote]

     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.