"Our security auditor is an idiot"

by Volker Weber

A security auditor for our servers has demanded the following within two weeks:

  • A list of current usernames and plain-text passwords for all user accounts on all servers
  • A list of all password changes for the past six months, again in plain-text
  • A list of "every file added to the server from remote devices" in the past six months
  • The public and private keys of any SSH keys
  • An email sent to him every time a user changes their password, containing the plain text password

More >


i really love this statement:

"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."

This one is also nice, maybe its part of the security policy from sony:

"I see no data protection issues for these requests, data protection only applies to consumers not businesses so there should be no issues with this information."

Roland Dressler, 2011-07-27

I'm really hoping this is a "joke".

Amy Blumenfield, 2011-07-27

Ich nehme an, der Security Auditor ist von Sony, oder?

Dirk Steins, 2011-07-27

@Amy, he has been in the business longer then anyone on that site. So it sounds legit to me. ;)

Actually the whole thing reads like a Phish attempt.

Simon O'Doherty, 2011-07-27

Simon, maybe he's been in the business for far too long. The already quoted statement "Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use." really speaks for itself.

Daniel Haferkorn, 2011-07-27

Sorry to say that, but I think the auditor is doing his job ... if you give him all the data you are failing in this test.

Dirk Deimeke, 2011-07-28

After having read this one extensively I dislike a few things... to start with falsifying data is not a good idea. I do understand it was probably a heat of the moment thing and the thought was just spelled out probably due to desperation as the data could not be supplied. Still, not the type of thought you want to have a sysadmin spell out and think for more than 1 minute.
Also I would personally hope this was a social engineer. If not this is really scary and beyond. The tone of the replies of that social engineer (YMMV) was 'good' and gave me a laugh. It was convincing (for his dumbness) and condescending, everything mixed into it to upset the receiver.
This made my evening, it really did. In the discussion one comment caught my eye - a classic: Do not attribute to malice... etc.
I am still not sure what this was, could still be both, I hope it was a social engineer trying his luck. If not this is a f***ed up example of how Sony is not one of a kind but one of many, with more incidents to follow everywhere.

Alexander Koch, 2011-07-28

Even if it is not true this one is....

Two young ladies from a big, BIG auditing company. One was maybe 23 the other 25ish. They come out of the IT Directors office after an audit meeting and the younger (more junior I presume) asks the other:

"What is a gooie?"

"G-U-I", the other responds, "it is how you interact with the computer".

"Ah", said the younger, "now that makes sense. I wish I knew that before the meeting".

I can only imagine what their bill rate was.

Darren Duke, 2011-07-28

Und ich dachte nur bei uns laufen solche Pappnasen herum.
Gott sei Dank konnten wir solche DIS-Officer, TISO's, Auditoren usw. bisher meist davon überzeugen doch mal das Gehirn einzuschalten.

Thomas Switala, 2011-07-28

> "What is a gooie?"

My answer would have been "It is something you can use to track a killers IP address".

Simon O'Doherty, 2011-07-28

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.


Paypal vowe