"Our security auditor is an idiot"

by Volker Weber

A security auditor for our servers has demanded the following within two weeks:

  • A list of current usernames and plain-text passwords for all user accounts on all servers
  • A list of all password changes for the past six months, again in plain-text
  • A list of "every file added to the server from remote devices" in the past six months
  • The public and private keys of any SSH keys
  • An email sent to him every time a user changes their password, containing the plain text password

More >

Comments

i really love this statement:

"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."

This one is also nice, maybe its part of the security policy from sony:

"I see no data protection issues for these requests, data protection only applies to consumers not businesses so there should be no issues with this information."

Roland Dressler, 2011-07-27

I'm really hoping this is a "joke".

Amy Blumenfield, 2011-07-27

Ich nehme an, der Security Auditor ist von Sony, oder?

Dirk Steins, 2011-07-27

@Amy, he has been in the business longer then anyone on that site. So it sounds legit to me. ;)

Actually the whole thing reads like a Phish attempt.

Simon O'Doherty, 2011-07-27

Simon, maybe he's been in the business for far too long. The already quoted statement "Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use." really speaks for itself.

Daniel Haferkorn, 2011-07-27

Sorry to say that, but I think the auditor is doing his job ... if you give him all the data you are failing in this test.

Dirk Deimeke, 2011-07-28

After having read this one extensively I dislike a few things... to start with falsifying data is not a good idea. I do understand it was probably a heat of the moment thing and the thought was just spelled out probably due to desperation as the data could not be supplied. Still, not the type of thought you want to have a sysadmin spell out and think for more than 1 minute.
Also I would personally hope this was a social engineer. If not this is really scary and beyond. The tone of the replies of that social engineer (YMMV) was 'good' and gave me a laugh. It was convincing (for his dumbness) and condescending, everything mixed into it to upset the receiver.
This made my evening, it really did. In the discussion one comment caught my eye - a classic: Do not attribute to malice... etc.
I am still not sure what this was, could still be both, I hope it was a social engineer trying his luck. If not this is a f***ed up example of how Sony is not one of a kind but one of many, with more incidents to follow everywhere.

Alexander Koch, 2011-07-28

Even if it is not true this one is....

Two young ladies from a big, BIG auditing company. One was maybe 23 the other 25ish. They come out of the IT Directors office after an audit meeting and the younger (more junior I presume) asks the other:

"What is a gooie?"

"G-U-I", the other responds, "it is how you interact with the computer".

"Ah", said the younger, "now that makes sense. I wish I knew that before the meeting".

I can only imagine what their bill rate was.

Darren Duke, 2011-07-28

Und ich dachte nur bei uns laufen solche Pappnasen herum.
Gott sei Dank konnten wir solche DIS-Officer, TISO's, Auditoren usw. bisher meist davon überzeugen doch mal das Gehirn einzuschalten.

Thomas Switala, 2011-07-28

@Darren:
> "What is a gooie?"

My answer would have been "It is something you can use to track a killers IP address".

Simon O'Doherty, 2011-07-28

Recent comments

Sven Thomsen on Viele neue Echos :: Amazon rüstet massiv auf at 07:55
Jonas Rathert on Critical Intel Thunderbolt Software and Firmware Updates - ThinkPad at 12:29
Manfred Wiktorin on Beats Solo Pro with ANC at 10:33
Tim Bellinghausen on Losing your laptop at 10:17
Andreas Kurtz on Losing your laptop at 08:28
Philipp Haun on Losing your laptop at 06:40
Volker Butterstein on Share music on two headphones from iPhone at 06:36
Maximilian von Hulewicz on Beats Solo Pro with ANC at 11:18
Maximilian von Hulewicz on Google Pixel 4 vorgestellt at 11:17
Felix Binsack on Beats Solo Pro with ANC at 10:54
Volker Weber on Beats Solo Pro with ANC at 23:33
Adrian Woizik on Beats Solo Pro with ANC at 23:08
Volker Weber on Beats Solo Pro with ANC at 22:42
Adrian Woizik on Beats Solo Pro with ANC at 22:40
Enrico Lippmann on Google Pixel 4 vorgestellt at 14:40
Felix Binsack on Beats Solo Pro with ANC at 13:23
Volker Weber on Beats Solo Pro with ANC at 09:02
Johannes Matzke on Beats Solo Pro with ANC at 09:00
Thomas Cloer on Google Pixel 4 vorgestellt at 08:17
Volker Weber on Fritz!Fon C4, C5 und C6 :: Stuff that works at 20:08
Maik Endler on Fritz!Fon C4, C5 und C6 :: Stuff that works at 20:05
Andreas Krümmel on Fritz!Fon C4, C5 und C6 :: Stuff that works at 11:36
Hubert Stettner on Fritz!Fon C4, C5 und C6 :: Stuff that works at 11:24
Eric Bredtmann on Fritz!Fon C4, C5 und C6 :: Stuff that works at 07:53
Volker Weber on Fritz!Fon C4, C5 und C6 :: Stuff that works at 23:17

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 05:06

visitors.gif

buy me coffee

Paypal vowe