"Our security auditor is an idiot"

by Volker Weber

A security auditor for our servers has demanded the following within two weeks:

  • A list of current usernames and plain-text passwords for all user accounts on all servers
  • A list of all password changes for the past six months, again in plain-text
  • A list of "every file added to the server from remote devices" in the past six months
  • The public and private keys of any SSH keys
  • An email sent to him every time a user changes their password, containing the plain text password

More >

Comments

i really love this statement:

"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."

This one is also nice, maybe its part of the security policy from sony:

"I see no data protection issues for these requests, data protection only applies to consumers not businesses so there should be no issues with this information."

Roland Dressler, 2011-07-27

I'm really hoping this is a "joke".

Amy Blumenfield, 2011-07-27

Ich nehme an, der Security Auditor ist von Sony, oder?

Dirk Steins, 2011-07-27

@Amy, he has been in the business longer then anyone on that site. So it sounds legit to me. ;)

Actually the whole thing reads like a Phish attempt.

Simon O'Doherty, 2011-07-27

Simon, maybe he's been in the business for far too long. The already quoted statement "Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use." really speaks for itself.

Daniel Haferkorn, 2011-07-27

Sorry to say that, but I think the auditor is doing his job ... if you give him all the data you are failing in this test.

Dirk Deimeke, 2011-07-28

After having read this one extensively I dislike a few things... to start with falsifying data is not a good idea. I do understand it was probably a heat of the moment thing and the thought was just spelled out probably due to desperation as the data could not be supplied. Still, not the type of thought you want to have a sysadmin spell out and think for more than 1 minute.
Also I would personally hope this was a social engineer. If not this is really scary and beyond. The tone of the replies of that social engineer (YMMV) was 'good' and gave me a laugh. It was convincing (for his dumbness) and condescending, everything mixed into it to upset the receiver.
This made my evening, it really did. In the discussion one comment caught my eye - a classic: Do not attribute to malice... etc.
I am still not sure what this was, could still be both, I hope it was a social engineer trying his luck. If not this is a f***ed up example of how Sony is not one of a kind but one of many, with more incidents to follow everywhere.

Alexander Koch, 2011-07-28

Even if it is not true this one is....

Two young ladies from a big, BIG auditing company. One was maybe 23 the other 25ish. They come out of the IT Directors office after an audit meeting and the younger (more junior I presume) asks the other:

"What is a gooie?"

"G-U-I", the other responds, "it is how you interact with the computer".

"Ah", said the younger, "now that makes sense. I wish I knew that before the meeting".

I can only imagine what their bill rate was.

Darren Duke, 2011-07-28

Und ich dachte nur bei uns laufen solche Pappnasen herum.
Gott sei Dank konnten wir solche DIS-Officer, TISO's, Auditoren usw. bisher meist davon überzeugen doch mal das Gehirn einzuschalten.

Thomas Switala, 2011-07-28

@Darren:
> "What is a gooie?"

My answer would have been "It is something you can use to track a killers IP address".

Simon O'Doherty, 2011-07-28

Recent comments

Marko Knaack on Google Chat & Meet verbergen at 16:20
Sven Richert on Cowboy 3 :: Smartes Single-Speed E-Bike at 14:15
Martin Imbeck on Cowboy 3 :: Smartes Single-Speed E-Bike at 13:43
Volker Weber on Cowboy 3 :: Smartes Single-Speed E-Bike at 12:18
Sven Richert on Cowboy 3 :: Smartes Single-Speed E-Bike at 12:13
Frank van Rijt on Jabra Elite 85h :: Stuff that works at 11:40
Martin Imbeck on Cowboy 3 :: Smartes Single-Speed E-Bike at 10:54
Volker Weber on Cowboy 3 :: Smartes Single-Speed E-Bike at 10:54
Volker Weber on Five years :: 1824 days at 10:47
Oliver Leibenguth on Five years :: 1824 days at 10:45
Volker Weber on Cowboy 3 :: Smartes Single-Speed E-Bike at 08:58
René Fischer on Jabra Elite 85h :: Stuff that works at 08:53
Ragnar Schierholz on Jabra Elite 85h :: Stuff that works at 08:18
René Winkelmeyer on Cowboy 3 :: Smartes Single-Speed E-Bike at 08:05
Dominique Roller on Cowboy 3 :: Smartes Single-Speed E-Bike at 07:53
Axel Koerv on Cowboy 3 :: Smartes Single-Speed E-Bike at 00:29
Uwe Papenfuss on Cowboy 3 :: Smartes Single-Speed E-Bike at 23:54
Axel Koerv on Cowboy 3 :: Smartes Single-Speed E-Bike at 23:53
Volker Weber on Jabra Elite 85h :: Stuff that works at 21:55
Volker Weber on Jabra Elite 85h :: Stuff that works at 21:52
René Fischer on Jabra Elite 85h :: Stuff that works at 19:51
Volker Weber on Jabra Elite 85h :: Stuff that works at 19:16
Ragnar Schierholz on Jabra Elite 85h :: Stuff that works at 19:14
Volker Weber on EPOS Adapt 660 :: Three Questions at 18:49
Martin Sckopke on EPOS Adapt 660 :: Three Questions at 18:06

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 18:29

visitors.gif

Paypal vowe