PDA

View Full Version : Computer Security Quote of the Day



Sporkman
April 1st, 2008, 03:25 PM
There are even easier ways to steal passwords. Mr. Evans suggests calling someone and simply asking for their password. A 2007 report by the Treasury Inspector General for Tax Administration found that 60% of Internal Revenue Service employees tested voluntarily shared their passwords with a caller claiming to be from the service's IT department. In a written response to the report, the IRS said it was working to improve its security.

http://online.wsj.com/article/SB120700735637678619.html?mod=yahoo_hs&ru=yahoo

wPwLUi3N
April 2nd, 2008, 09:54 AM
That is social engineering at work!!!

smoker
April 2nd, 2008, 10:01 AM
hmm, a post-it note on the side of the monitor seems to be a good 'hiding place' for some users password!

kutjara
April 2nd, 2008, 02:43 PM
http://online.wsj.com/article/SB120700735637678619.html?mod=yahoo_hs&ru=yahoo

I had a colleague several years back, who I overheard saying what I thought to be random letters over the phone. When he'd finished the call, I asked him what it had been about. "Oh," he replied, "it was a guy from tech support who needed some information about my computer account." "What sort of information?" I asked suspiciously. "Well," said my workmate, "he said that they've got a new system whereby they can log into our user accounts to perform maintenance, but only if we allow them by giving them a couple of characters from our account password."

I spent the next few minutes picking my jaw up off the floor and strapping it back into place with Scotch tape, but when I finally recovered, I informed my friend that I had never, in my many years of computer use, heard of such a system. "I know when you call your bank. for example, they sometimes ask for a couple of characters from your "secret word" to act as a secondary verification to the password or pin you've already entered on the keypad," I told him, "but I've never had anyone call me and then ask me to prove that I'm the person they called."

"Oh, it's ok," he replied, "he didn't want my entire password." "But I heard you giving out a whole bunch of letters. Why was that?" I asked. "Well, the guy was on a bad line and had trouble hearing me, so he asked for a bunch of different letters. He told me he must be mishearing what I was saying, because the system was rejecting his inputs and asking for different ones." "OK," I said, "but you do realize that he could reconstruct your password from the letters you gave him, don't you?" (I'd been thinking about the letters I'd overheard him give out). "Your password wouldn't be 'bubblegum' would it?" He turned white and immediately changed his password. His final defense of his actions was, "But the guy was insistent he didn't want me to give him my whole password. He kept telling me how concerned about my security he was."

It is truly amazing the information people will give out to complete strangers over the phone.

Dr Small
April 2nd, 2008, 04:02 PM
Yeah, and that is really sad.
Most people are taken off guard when asked for their password by IT.

Whenever someone asks me, even in a roundabout way, it sets off Tripwire in my brain, and they never get squat out of me :)

kutjara
April 2nd, 2008, 04:11 PM
Yeah, and that is really sad.
Most people are taken off guard when asked for their password by IT.

Whenever someone asks me, even in a roundabout way, it sets off Tripwire in my brain, and they never get squat out of me :)

My standard reply to anyone who asks for my password is, "Of course. It's p-i-s-s-o-f-f." :)

billgoldberg
April 2nd, 2008, 04:14 PM
It's sad that people fall for this.

Why would a guy from the IT department need your password, it makes no sense. Sadly most people don't realize this.

People using a computer at work should be given, at least, a few hours lessons about the basics how computers and there network at work works.

popch
April 2nd, 2008, 05:02 PM
Why would a guy from the IT department need your password, it makes no sense. Sadly most people don't realize this.

I am 'the guy from IT', and there are situations where it is just more convenient for both the user and the IT support when the user gives his password to the IT guy.

However, since I am responsible for security as well, I will not tolerate my IT guys working that way.

Before you bash the IT guys too hard: some users appear to be intent on telling us their passwords. I have to had to silence users on the phone quite a few times just when they were about to tell me theirs.

And would you believe it, those were people working with sensitive data such as HR or legal staff.

freebeer
April 2nd, 2008, 05:10 PM
I'm security conscious by nature... I won't even tell the girlfriend where I've been. :D

Sporkman
April 2nd, 2008, 05:45 PM
I'm security conscious by nature... I won't even tell the girlfriend where I've been. :D

It's rubbed off on her, as I'm sure he hasn't been forthcoming about her intimate contact with me. 8)

ZING!!! :D

freebeer
April 2nd, 2008, 09:34 PM
It's rubbed off on her, as I'm sure he hasn't been forthcoming about her intimate contact with me. 8)

ZING!!! :D

So it's you! Cool! Thanks! More time for me and my 'pooters! I'll buy you a beer some day. :D

Calash
April 2nd, 2008, 09:58 PM
IT guy here as well. We collect passwords when building new systems, or when troubleshooting problems and the client is not at there desk. The clients have the option of changing there password before giving it to us, but that is too much trouble for most of them, so they just give it and change it after we are done.

It is scare how quickly somebody will send you there password in an email, or on the phone if you just say you are from IT.

macogw
April 3rd, 2008, 05:19 AM
IT guy here as well. We collect passwords when building new systems, or when troubleshooting problems and the client is not at there desk. The clients have the option of changing there password before giving it to us, but that is too much trouble for most of them, so they just give it and change it after we are done.

It is scare how quickly somebody will send you there password in an email, or on the phone if you just say you are from IT.

Heh, we should all start requiring that IT send us GPG-signed emails stating that they need our passwords so we have proof it's the real IT dept that's asking, then reply back with a GPG-encrypted email containing the password, encrypted using the IT guy's public key.

EDIT: and have the password be to an "IT" account. Enable sudo access just when they're going to work on it, then revoke it immediately after.