Slashdot Log In
88% of IT Admins Would Steal Passwords If Laid Off
Posted by
ScuttleMonkey
on Fri Aug 29, 2008 02:40 PM
from the you-know-they-have-conjugal-visits-there dept.
from the you-know-they-have-conjugal-visits-there dept.
narramissic writes "According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords' survey, a whopping 88% of IT administrators would steal CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords if they were suddenly laid off. The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Reminds me of the old joke... (Score:5, Funny)
99% of men masturbate. The other 1% are lying.
Not reasonable (Score:5, Interesting)
Re:Not reasonable (Score:5, Insightful)
Sounds like an unreasonable estimate to me.
I would be much more interested in the percentage that has already stored such information just in case such an eventuality occurred.
Parent
Re:Not reasonable (Score:5, Insightful)
A company hawking privacy management claims your IT department is filled with thieves and extortionists. Shocking, I tell you, shocking!!!!
Parent
Re:Not reasonable (Score:5, Funny)
And they thought to warn us, how considerate. Perhaps they also have the perfect solution to the problem.
Parent
BOFH (Score:5, Funny)
You've never seen my personal IT Bible, the Archives of the BOFH.
He exemplifies keeping a system running smooth THROUGH vindictive and dishonest means.
He's my Hero.
Parent
Re:Not reasonable (Score:5, Interesting)
Sounds like an unreasonable estimate to me. If people were that vindicative and dishonest then IT (and similar) systems wouldn't ever keep working.
Why is Parent comment not modded "Funny"?
A) I don't know if I would have guessed these numbers exactly, but it certainly shouldn't be a totaly surprise to anyone who's worked in IT for any length of time. B) 300 is not even close to a statistically relevant sample size.
That said, the part that I think is interesting is that this corruption is more intense the higher you go in the corporate ladder. What makes that funny upon interesting is that I think the C-level folks may think they're the only ones who do this - this article might actually be news to them. Now that is funny!
Layoffs, by the same token, in practice are generally every bit as corrupt, vindictive (in who gets selected to go) and dishonest (they're usually to boost quarterly profits). Businesses still work (relatively speaking anyway) in spite of that as well.
I'd say this article and the study itself are slanted against workers.
-Matt
P.S. This is another POS Computerworld article - Computerworld UK this time. IMHO, anyway.
Parent
Re:Not reasonable (Score:5, Funny)
Parent
Re:Not reasonable (Score:5, Funny)
Parent
Re:Not reasonable (Score:5, Funny)
Parent
Re:Not reasonable (Score:5, Informative)
It's off topic, but please tell me more about your IT infrastructure. I promise to to do anything bad with it.
I am constantly amazed at how willing people are to tell you how to attack their own systems, particularly on Slashdot, where simply implying somebody is doing poorly will practically get you full description, network maps, and vulnerability reports.
Similarly, I was talking to a friend in the Army the other day about IT security, and he told me that he didn't think I could attack his unit's systems, then went into a long discussion about what protections are in place. Out of curiosity, I decided to find out what I could learn. He only clammed up when I started probing for specifics about password policies on a particular device.
People: please don't tell anybody about your IT configuration. At least not on a public forum like /. Admittedly, a lot of it is easy to find out other ways, but that's no reason to give that information out.
Parent
Re:Not reasonable (Score:5, Funny)
I once got what I assumed to be an attempt at social engineering into our systems.
Caller (who did not identify himself): "Hi, would you be interested in completing a survey?"
Me (bored): "Uh, alright."
Him: "Can you outline for me the steps you take to ensure the security of your IT systems?"
Me: "Absolutely! First, I do not discuss my security configurations with unknown people. Have a nice day." and then hung up on him.
Parent
Re:Not reasonable (Score:5, Insightful)
Yes, it's security through obscurity, and I'm as big a fan of Schneier as anybody, but that is still no reason to give out information.
It's no secret that with enough knowledge of the system, any system can be hacked. That alone is reason to not make knowledge of the system public information.
To some extent, security through obscurity is absolutely necessary.
Parent
Re:Not reasonable (Score:5, Insightful)
Not if your systems are properly secured. Unless you consider obscurity keeping your actual password(s) secret :)
Seriously though: most systems have some vulnerabilities and explaining the details will occasionally open the door for someone who knows more than you do. Yes, it's good to keep this information private. BUT, when designing a security system you need to work based on the assumption that an attacker knows the entire layout. Knows exactly what hardware, software, version, firmware, etc. you have exactly. Anything less is NOT a properly secured system.
If a network is properly secured the person/group/department who designed it should not be able to gain unauthorized access
Parent
Re:Not reasonable (Score:5, Funny)
Doesn't work , my router is on 192.168.123.254
However , if you enable remote access on your router , you have a chance of winning a lottery. All you have to do is sign up , and give your external ip as a reference , if your ip wins , you win the great amount of $50M ( fiftymillions US dollars ) . It's from my aunt in Nigeria who died in mysterious plane crash.
Parent
Re:Not reasonable (Score:5, Interesting)
The odds of running into a malicious hacker when looking for technical help are nearly nil. Hackers simply don't work this way.
It's called Google, and hackers absolutely do work this way. I should know.
Let me tell you a little story.
I am a penetration tester by trade. I was tasked to look into a particular company's custom-built project-management app, which I had no prior knowledge of, access to, or even IP addresses for.
After a bit of googling, I came up with the names and email addresses of a few developers (some of whom no longer worked for the company). Googling those email addies, I found posts on various forums for MsSQL administration, ASP coding, and cisco routers. Within only a few minutes, I knew the hardware that the system was running, the firmware version on the router, the technology in use, and even had some code samples pulled straight from the app.
I located and compromised that application with no prior knowledge in less than an hour.
Having other people "check your work" is a GOOD thing and it's how IT security is actually improved in practice
Yes. Having Project Managers, your programming peers, and a security auditor with an NDA check your work is a good thing. Having some random guy on a forum check your work, and publish the results where they will be archived, index and searchable forever, is an extremely stupid idea.
Parent
Re:Might Be Reasonable (Score:5, Interesting)
I've been through a couple of layoffs. In one, the company was concerned about stealing, sabotage, and other vindictive behaviours. So they surprised everyone with two week severance packages and an escort out the door one morning. They brought in people at the butt crack of dawn to turn off every computer in the building. Later, "core" people started deserting the company, taking whatever they wanted with them.
In the other one, there was an announcement, something like, "The 20 people in this room are being laid off. Starting in two weeks we're going to lay off 4 people per week for 5 weeks. We expect you all to continue to do your jobs as well as you can *while* you look for work. Let your supervisor know of any scheduled interviews, they will be considered paid time off. As you find work report your start date so each week we can try to lay off people who already have new jobs."
The second layoff went without a hitch. The people laid off kept relations with the company, some came back later.
I know it's not the same as firing someone, but it does seem to me some companies treat laid off employees as if they've been fired.
Parent
Re:Might Be Reasonable (Score:5, Funny)
Sabotaging a network is no different than setting fire to the building.
B-b-but, but but, they they took my stapler. It's the - the red swingline model.
Parent
a survey (Score:5, Insightful)
Yea, and I'm training to be a cage fighter.
More like 88% of IT Admins like to say they would steal CEO passwords if laid off, but something tells me when the time came to break the law they would let the opportunity slide.
Re:a survey (Score:5, Insightful)
...but something tells me when the time came to break the law they would let the opportunity slide.
And they'd be wise to do so. Anyone who thinks that stealing such things once laid off is a bright idea just does not have a criminal mind.
Think it through, fellas - what, exactly, do you plan to DO with this data?
Do you intend on working in your field, ever again?
How do you feel about seeing the inside of a federal prison??
Seriously, lay off the power trip. It's just a fucking job. Don't screw up your ENTIRE life just because you have the password...
Parent
Re:a survey (Score:4, Informative)
Parent
Re:a survey (Score:5, Interesting)
If you are that good as a IT admin (or any other position, for that matter), if you are that good, they will have already done more damage to the company by firing you, that you could do deliberately back to them.
Recruiters estimate that simply by firing one person and hiring another, a company will lose around $120,000 in productivity alone; HR and accounting paperwork to fire that person, redundancy payments for several months in advance, along with recruiters fees to find someone new, time taken by existing employees to interview possible candidates, more HR and accounting paperwork to hire the person if there is a match, and time taken by the new employee to get up to speed. Not even considering that other people may be waiting for various tasks to be completed by the person in that position.
Parent
Best Revenge Ever... (Score:5, Insightful)
... Is being missed.
I was vindictively fired by a total idiot. I made sure that everyone I knew at the company knew the hows and whys of my dispute (including where I _was_ at fault). I also always start grooming my replacement the first day I take a job or can identify the best guy to replace me, because who wants to be stuck in the same job forever.
In the days following my firing I took several opportunities to talk the guy who replaced me (my friend Dan) how to lock me out of various machines and such.
For almost eighteen months people at that job were forced to say "is a good thing (my name) made sure we had extra capacity laid in while the trench down the block was opened", or thing-x was purchased, or policy-y was in place.
By the end of that eighteen months, the guy who had fired me had been shown to be the kind of person who he was, and he was invited to leave the company. (I was long gone and made no attempt to return.)
If you have to "do something" to your company to make them feel the pain of your absence when you are gone, you weren't previously doing your job.
Competence, and never looking back except to laugh, is the best revenge ever.
Parent
Re:a survey (Score:5, Interesting)
I agree, accidently deleting a huge database is better. go in, yank 1 cable from the back of the server and plug it back in from one of the power vaults to the Raid 50 and the raid will eat it's self over the course of 2-3 days. Without any admins familiar with it, they will not get the pile of raid failure warnings until most of the DV and files are corrupt. Bonus points if it takes 2-3 weeks and all the backups are corrupted as well.
Impossible to trace or prove anything was intentional, and it screws them good.
There are at least 80 other ways to cause gradual data corruption that without familiar IT staff on hand will grow out of control by the time someone finds it.
Screw stealing passwords or data, just start a chain of unfortunate events.
MY favorite is to make some very restrictive rules in the company firewall and then save it, revert to the old rules right before you're laid off. the date stamp will be from months previous and confuse anyone tromping around in it.
Parent
Re:a survey (Score:5, Funny)
"Conjugal Visit Prison", or "Pound Me In The Ass Prison"?
Depending on your perspective... Yes?
Parent
Re:a survey (Score:5, Insightful)
Uh... as the admin what need do I have for the CEO's password? I have more access to the network than he does.
I'd have to agree this whole article sounds like BS to me.
Parent
In other news... (Score:5, Funny)
12% of all admins were laid off today in order to clear up resources for paying ransom on old passwords...
New Poll (Score:5, Funny)
88% of IT Admins Would Steal Anything to get Laid
And Cyber Ark are selling? (Score:5, Insightful)
Let me guess...
Re:And Cyber Ark are selling? (Score:5, Insightful)
Parent
Figures Seem Inflated (Score:5, Insightful)
But... (Score:5, Insightful)
How many of them are just saying that to sound cool?
Strong morals? (Score:5, Funny)
Betray the betrayer? (Score:5, Interesting)
When someone is laid of for no apparent reason, they often feel hurt and betrayed. A natural reaction is that the trust between them has already been destroyed.
At one company I was with, a sysadmin was on a conference call, and had his hands full when the call ended. The CEO never hung up the phone, and started talking to his assistant about people loosing their jobs and how much severance would be paid. The sysadmin, who probably should have hung up when he was first able to, couldn't resist listening for a short time. After a couple of minutes, the CEO finally realized that his phone was still on, and hung up the line. By that time, the sysadmin knew that several people would be laid off soon, but not how soon, or which people.
He informed a couple of his friends that the company was in worse shape than he had realized, and discretely began updating his resume. Within a month, the company was bought out and closed down by another company and everyone lost their jobs. He was asked to stay on as part of the transition team and that the new company would pay him, but after a couple of days, it was clear that he had been working for free and the new company was not going to honor the agreement.
At that time, he still had sysadmin access, and began to look through emails of the former employees. Some, including the CEO, were still getting and sending emails through web access through the old company server. He learned that although the board of directors did not want to spend the money to make sure that the fired employees could still have health insurance for a couple of months, they were willing to give the former CEO $25,000 for his efforts.
I have always said that a good sysadmin knows all the secrets of a company, but a great sysadmin knows when not to look. In this case, was the sysadmin justified in looking after he had been promised to be paid and then told he was not being paid? (Yes, his access should have been cut off, but he was the one who would have had to cut himself off and he was never told to do so.)
Although this situation may be unique, I think that many sysadmins may feel the same way. Once they are betrayed, they no longer feel the need to stay loyal to those that betray them.
Parent
Re:Strong morals? (Score:4, Insightful)
And they do - Those morals and ethics just don't overlap 100% with "corporate policy" (or for that matter, "the law").
And I don't mean that as a joke... IT pros have a rather unusual role in the history of humanity, in that without trying, we become aware of far more details of peoples lives than they realize. Even priests in the confessional don't have the insight we do - People can lie to their priest. They can't lie about logfiles.
People, as a whole, count as (by their own standards) hypocritical perverted criminals. They all (and I mean that deliberately as an unqualified universal quantifier) do things they would themselves describe as disgusting and/or reprehensible if asked in a neutral context. They all steal, they all lie, they all cheat, they all put #1 ahead of everything else unless pretending to do otherwise will result in a self-preferable outcome.. And you expect those of us who know (rather than merely suspect) this to have a traditional world-view when it comes to right and wrong?
I think the survey should have asked a slightly different question, to make it more meaningful... "Do you already have memorized enough info about the company to bring it to its knees if you decide they've really screwed you over"? And I'll bet you'd get a similarly high percentage answering "yes".
Parent
Re:Strong morals? (Score:5, Informative)
Scoundrels always think everyone else is a scoundrel, too.
Parent
Survey is Pants (Score:5, Insightful)
"According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords'"
Making the IT folk out to be bogeymen is great business for security pros. I'm sure there are some idiots out there, but most IT people are normal honest people like anybody in any other profession. I don't buy that we are so far off the curve, 81% is bullcrap and makes me question everything about that company and it's motivations and methods for the survey.
Nothing to see here (Score:5, Insightful)
Post here if you're a minority as well (Score:5, Informative)
I haven't, I wouldn't. At best you encounter some of those things during ordinary work or even unproductive boredom.. but I totally see no value in having such details of a place you no longer work.
(Of course here in Europe there's a due notice so you have plenty of paid time to find a new job, but still..)
Maybe I'm just daft or weak?
Let me guess (Score:5, Insightful)
....you take a survey saying something like "Have you in your work had access to..." or "Have you known company information after leaving..." which you often have then tweak it into "IT admins spy on you and will steal your IP" in order to make FUD and sell your product? I think I know enough people in the IT business to tell that these numbers are horribly off.
The other 22%... (Score:5, Insightful)
When I was an admin (short stint so I could pay bills, 3 years) I usually didn't give a rat's ass about what the users stored on their system unless it showed up in my virus scan reports or I was told to investigate someone due to "suspicious behavior". (BTW folks, before you get off on the 'evil spying on users' tangent for me, it was only twice and it was two girls working in tandem selling info to another company on how much certain people were paid.) I never could understand the whole "I have the power!" attitude some people showed when it came to passwords or how they'd screw the company if they were laid off. If I felt I was unfairly fired or downsize or funsized, whatever, that's what my lawyer is for (he works for cheap cause I fix his laptop, heh). Why complicate issues by fudging with the network access?
Maybe I'm just too young to understand yet. Now if you'll excuse me, I have to play with my army men, we're planning an attack on the tan army on the coffee table and I gotta move equipment for em.
Re:The other 22%... (Score:5, Insightful)
As a system admin who has access to ten years of email at an institutional finance firm, I can tell you that I have absolutely no desire to go through these records; sure there would be juicy tidbits about office relationships, hot stocks, whose getting what promotion etc but your integrity is way too valuable for any such tomfoolery. Moreover, my experience is that my coworkers have pretty much all been of like-mind. There's just no upside to doing any of the things listed in this article; it most certainly will not get your job back nor will it help you get another job and as has been said before it will get you put in jail.
And, as was said earlier, it's so shocking to find a company that does security consulting say that the weakest link in your security chain is your people, I mean who would of thunk it? Oh wait, Michael Milken did way back in the 80's and I'm sure someone else did it before him...
Parent
88% of IT Admins Are Stupid (Score:5, Insightful)
If I'm ever show to the door, I would insist on my ability to operate on the system being terminated at that moment. I don't want VPN access. I don't want an email account. I don't want SSH keys. I sure don't want the boss's password. Why? Because I don't want to be accountable for anything that goes wrong afterward.
Think about it, people. If the IDS catches you SSHing in a couple of weeks after you've left, then they have carte blanche to hold you responsible for whatever breaks, even if it's totally unrelated. Good luck convincing a jury that Oracle coincidentally just happened to explode an hour after you logged into your old workstation. Seriously, what good can possibly come from putting yourself in that situation?
As a former admin who was laid off... (Score:4, Interesting)
The last thing I wanted was to be in a position where someone hacked the systems and I got blamed because I "knew the passwords"....
I even handed over my personal notes on the network and had my boss shred the ones he didn't need before I left.
I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords.
I think all sysadmins should review this (Score:4, Interesting)
Re:This is silly. (Score:5, Funny)
Better go the pre-emptive way: make offside backups before the shit hits the fan.
Bad idea. You'd get a 5 yard penalty on the play.
Parent
Re:Inaccurate? (Score:5, Funny)
as for who they actually ... who knows?
300 felons recently paroled for computer and technology related crimes.
Parent
Re:Not a surprise. (Score:4, Insightful)
Another reason to hire older admins, younger ones get bored easily and as a result commit more mischief, I remember the last few years I worked, it seemed that the younger people were always trying to find out how to bypass Squid to go look at porn sites, etc.
It just made my job harder and more annoying. Short attention spans and an inability to function without continuous entertainment seems to be a common failing among millennials.
Parent
Re:Not a surprise. (Score:5, Insightful)
This is one of the things that I love about proxy firewalls. I have colleagues that try to run connections over port 80, and then get stopped because it's not HTTP. They come complain to me, and find a very unsympathetic ear.
I am bothered by the poor ethics of those around me. They think nothing of talking in the aisles about which BitTorrent sites get them the best movies, or how they only watch screeners or play cracked games because only stupid people pay for entertainment. They get frustrated when they run into refusals when trying to get the discs or keys for Microsoft software for which they have no clear need, and try to talk me or the other two people who do have access to them into giving it to them. I tell them that if they need it cheaply that bad they should get a TechNet subscription. They usually just wander off at that point, or sometimes storm off, as if they were somehow entitled to it.
I used to grab everything that I could off of various sites, pulling things down over Kazaa or eDonkey at the time, but I've left that in the past. I've got a job that pays well, and I know they're not underpaid.
I think that ethics in IT have slid dramatically downhill, so that the norm seems to be that people don't want to get caught, rather than not wanting to break the ethics guidelines in the first place. I'm not sure what exactly to do about it, other than try to set a good example. But even then, I've heard some suggesting quietly to others that I'm just hiding my own sins (hint to those people: make sure I'm not in the cubicle next to you when you talk about me). I'm at a loss at that point.
Parent
Re:Not a surprise. (Score:5, Insightful)
In other words, now that you've had your fun you're going to go criticizing the young whippersnappers having theirs.
Parent