10% of IT Pros Can Access Previous Jobs' Accounts 218
dinscott writes "According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users' electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. It's no wonder then that half of them are concerned about insider threats to network security in their company's current infrastructure! But one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization."
well, i can (Score:4, Interesting)
but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?
I'd better not be able to... (Score:5, Interesting)
My last action in my previous sysadmin job was to disable my own old accounts. If I find that they're accessible to me again, it means that:
Client resistance to security efforts (Score:4, Interesting)
Last year I actually lost a client for being too security conscious. They were a part-time client and only usually called me when it was an absolute emergency...most of the time when a problem happened they would try and fix it themselves, make it worse then call me. I tried to talk them into letting me come in once a month to patch and update on a scheduled basis. I was told I was trying to fleece them and pad my hours and that they felt they needed to take IT in another direction.
Nearly a year later I am still receiving backup notices, a few ,months back I found out accidentally that the root password hadn't changed when I ran a maintenance script that I used to do a resources audit, forgot to change the account info to a different client. I called them right away and instead of "thanks we will take care of it" I was told that I was hacking and that if I didn't stop they would report it to the police. I even tried talking to their new IT guy (one of the owners nephews) but he told me he was not allowed to speak to me and hung up.
I'm actually worried about the former client but am completely at my wits end about what I can do about it and frankly i'm worried that when the inevitable happens the first person they will attempt to blame for any disaster is going to be me. For now all I have been able to do is document my efforts to get them to fix the issue.
6 out of 10..... (Score:4, Interesting)
Have copies of companies assets in their possession. OR physical assets of the company still in their possession.
I was cleaning out some junk data the past weekend, went through my archive of 900+ CD-R's of the past 14 years and found several discs that I shredded as they contained company data from old employers. I also found a binder with a printout of some sourcecode that was for a old job from before 1995.
I dont worry about the guy that can access a server at work, I worry about the guy that leaves the job with a 64gb thumb drive that has the entire customer database on it.
It's quite common (Score:5, Interesting)
Most places will happily give you every password in the world when you start a job there. And sometimes the "intermediate" stage between you leaving and someone else doing your job is filled with outside contractors and random people who "need" your passwords.
Whenever I leave an employer, I make a BIG list of everything I know in terms of passwords, passcodes, keys, etc. and compile it on paper or a CD. I put literally everything in there, even down to little foibles of the system and the reasoning for strange configurations. I then furnish the boss with one copy of that CD, hand him another copy to "put in a safe place" (usually a safe) and then leave.
I did this at my last workplace. They were getting increasingly silly and employing people with zero expertise, and I already had another job already lined up so my entire notice period was spent house-cleaning and compiling lists while taking care of the mundane jobs.
Technically I reported only to the headteacher of the school in question, having been employed by him without any formal assignment in a staffing structure (to the point where the local borough phoned up to complain that I was earning too much for any of their pay-scales and had to be put on my own unique one).
When I left, there was no replacement for me (because they weren't interested in employing the only guy out of all the candidates that *could* do my job because he had formerly worked in Tesco's supermarket rather than sit on his arse in the middle of a recession) so I handed off to the headteacher. This immediately caused an argument because one of the new staff who was the new "second-in-command" there (and that decision was partly responsible for me wanting to leave in the first place!) DEMANDED the "admin password for the network".
He wasn't an IT guy. He knew nothing about computers at all. He just wanted it because he was sure that the dozens of digital voice recorders that he'd bought on a whim (without IT authorisation) could be made compatible with the non-networkable, kiddified, decades-old audio editing software he'd bought on a whim (without IT authorisation) on the network he didn't know how to manage, no matter how many times I told him they were incompatible. He was convinced that if he somehow got the "magic" administrator's password and then let 1000 kids loose with it so they could listen to themselves talking, it would solve his problems with not teaching part of the IT curriculum.
Obviously I must have been deliberately lying when his DRM'd-AAC-only recorders couldn't be opened in a program that only took WAV's (not even MP3's!) and that an intermediate conversion step (which he DEMANDED shouldn't be necessary and refused to use) was required.
Apart from the fact there were three networks, there were dozens of different passwords, and he wasn't getting *ANY* of their passwords until I was way outside the building and long gone, I had a duty to protect the information secured by those passwords (information on kids, people's salaries etc.). If you read the rules precisely, that means that I had to hand off ONLY to the headteacher, who could then hand off passwords to others as they saw fit.
So I did just that, in the process making my own day by telling the guy "No." even if he WAS second-in-command there (he didn't seem to understand that I didn't report to him, no matter what he thought of that idea). He was rather miffed. I also, with the head's permission, gave a copy of the CD to the lead governor of the school who was a big-iron IT guy for his day-job, that we both knew we could trust - he would be fixing any major issues that occurred in the school until they could find a replacement and he was there to sign-off on my hand-over.
A week later, a phone call from the second-in-command. He'd got the administrator password, tried it out on several PC's and couldn't do what he wanted (ignoring the fact that he wasn't using ANY of the network software management that we had in place). So he demanded that I give
Re:well, i can (Score:4, Interesting)
It's certainly your responsibility to never try that password. I left an IT job at a financial institution rather abruptly a couple of years ago after a blow-up with my boss over whether I was responsible for failures in a process that she'd explicitly delegated to another group. (Just the last in a long line of ex post facto policy and procedure changes) Anyway, I never had reason to try (nor would I, given the legal and moral aspects), but for a while I suspected they'd probably disabled my accounts but missed things like router passwords, voicemail passwords, etc. that were either too obscure or too difficult to change. Later, I spoke to a former coworker and found out that they spent untold sums of money on security audits and consulting after I left. Turns out, the best way to secure an organization is to talk doom and gloom, "nothing can save us" security for a while and then leave pissed-off and shouting.
As you might expect, once all those unfamiliar hands got into the shop, uptime went to crap. (Not good when you're dealing with other people's money) So, while I did nothing and probably didn't have any access anyway, the results for them were much the same - large cleanup bill and lost customer confidence. A moral of the story might be that while documentation, procedure, and security are all vital parts of IT, they can't substitute for a good management relationship with a competent, loyal staff. This is particularly true for organizations with IT shops on the smaller side of the staffing scale.
Re:well, i can (Score:5, Interesting)
With clued people, there may not be convincing evidence.
However, in a jury trial with the DA throwing the book at you for a lot of computer trespass charges, convincing a jury of that is a lot harder.
We all have dealt with the Joe Sixpack archetype. He calls you on the phone demanding you "fix" his computer. Because he is either a friend of someone you care about, or otherwise can't tell him where to stick it, you go over. You make it past the baying mangy hound menagerie, avoid the cans of Bud Light on the front porch, hold your breath as you round the TV area that is permanently turned onto Fox News, and narrowly dodge the gun cleaner oil perched precariously on a table.
Finally you get to his computer. The copy of AV software has expired (or never been activated.) You see the hard disk light constantly on even though the box is idle. Further prodding finds that a reinstall is a must because iexplorer.exe and explorer.exe got corrupted and replaced by something. The recovery partition? Completely corrupted.
You ask Joe for the install media. He never made the install CDs (if he bought the box from most PC companies), or he lost the media (if he bought a Dell). You ask him about backups. He tells you that if he backs his pickup up any more, it will smash into the wall. You ask him about saved images of Windows. He wonders why you want pictures of stuff found in a Pella or Andersen catalog.
End result is that you tell him to buy some install media. He ends up stopping by Best Buy and just buying another computer. You help him get the new machine set up and browsing the NSFW stuff (the computer's primary use), and almost certainly, the cycle will begin again in a few months.
Now picture twelve of these types of people who have zero clue about computers. They are deciding your fate, and they have possibly the rest of your life in their pork-rind stained hands. The DA will tell them in the opening/closing statement that you trespassed electronically, and the jury will just rubber stamp that verdict and the sentence time asked, because they don't know better. They will dismiss the defense as greasy nerds with "ass-burgers syndrome" who are trying to spout meaningless technobabble in order to get a disgruntled employee off the hook.
It just pays not to log in at all, whatsoever to an ex-employer without permission. It also pays to use a strong password, so you are not kept up at night wondering if a cracker would get in and get you blamed for it.
Re:well, i can (Score:4, Interesting)
It's all in how you phrase it.
"Please change the bob.admin account's password, as it appears to not have been changed" : BAD.
"Hey Cyril, I just wanted to follow up and make sure that the new IT guys at XYZ.inc got all of my old accounts locked down. I expect they already changed the password on my old bob.admin account and disabled its permissions, but I want to make sure they also locked down the bob.vpn account and removed the firewall exceptions that we'd installed when I needed to fix the webserver that one time on my vacation." : LESS BAD.
The latter doesn't imply that you tried to access it, but rather that you're trying to make sure that the new IT people know about all of your accounts, not just the obvious one. The IT guys will say, "Oh yeah of course we did that ... " and then go fix it quietly if they didn't.