Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

10% of IT Pros Can Access Previous Jobs' Accounts 218

dinscott writes "According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users' electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. It's no wonder then that half of them are concerned about insider threats to network security in their company's current infrastructure! But one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization."
This discussion has been archived. No new comments can be posted.

10% of IT Pros Can Access Previous Jobs' Accounts

Comments Filter:
  • well, i can (Score:4, Interesting)

    by gblfxt ( 931709 ) on Thursday February 17, 2011 @08:53AM (#35231206)

    but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?

    • Fuck no its not. And I'd have a hard time not getting behind some proxy and doing something bad, in your case. Unless I'm reading you wrong and it wasn't a sour situation for you.
      • by gblfxt ( 931709 )

        i am a professional, and i understood that they thought i was overpaid (especially since after i was there for 2 years, there were hardly any network issues). i don't wish them harm, but i would like to at least hire a competent IT outsourcing company to replace me, so I know my 2 years of work ended up in good hands... :)

      • by SmallFurryCreature ( 593017 ) on Thursday February 17, 2011 @10:55AM (#35232684) Journal

        I know I still got access because they called me from a previous job if I could help them out and I just tried my login during the call to see what was going on and it was still there. I just thought "oh", fixed the issue and mailed that I still had access and left it at that.

        I am a pro but not a sys admin. If I do not work for them, I do not have a need to access their servers and so I don't. Not very hard. Disgruntled? Even then I wouldn't because it would be against the law and could seriously hurt future employment.

        The trick therefor for companies is to both have good account management AND hire professionals who care about not becoming a criminal.

        Seriously kid, to anyone who read this, you just gave a massive reason NOT to hire you.

        Do I as an employer constantly have to worry if it is that time of month for you?

        • I can see how that could turn into a mess.. If I was in that situation, I'd probably want to help, but imagine if something went wrong - even something unrelated to what you did to fix the problem. Some clueless manager could flip out and make life really hard for you.

          Years ago, I repaired photocopiers. Once I just stopped at an account for periodic maintenance because I had nothing else to do. First thing I did was hit the copy button for a test copy, and the scanner lamp blew. I didn't have any lamps fo
        • Re: (Score:3, Insightful)

          by flimflammer ( 956759 )

          Do I as an employer constantly have to worry if it is that time of month for you?

          If you as an employer had the forethought (they rarely do) to worry about that, then they would have changed the login credentials already.

          I don't feel the need to baby my ex-employers through their incompetence. I'm not going to do anything with the information, but when you let me go, my obligation to the company ends there. It should be standard operating procedure when you let someone in IT go who has privileged login credentials, that you revoke those credentials.

        • by candl ( 68944 )

          >The trick therefor for companies is to both have good account management AND hire professionals who care about not becoming a criminal.

          I found myself on the receiving end of the recession a year ago, having to suddenly tune my interviewing skills again. I still think one of my best selling points was being able to answer the "Why should we hire you?" question with this:

          "My position was eliminated and I was given a 90 day notice by my previous employer. At which point I was allowed to work through the

      • by mcrbids ( 148650 )

        And this is why you are likely unemployed. If not, you probably should be. As an employer, if I found out you made a comment like this recently anywhere during the due diligence that is our hiring process, your application would immediately be round-filed.

        The *only* thing you really have is your honor, because when that's gone, you're toast. Ask security consultant firm HBGary Federal how they're doing now that their lax security has been exposed. [arstechnica.com]

        As a technology consultant myself, I frequently review articl

    • Re:well, i can (Score:5, Insightful)

      by John Hasler ( 414242 ) on Thursday February 17, 2011 @09:25AM (#35231510) Homepage

      > but is it my responsibility to suggest they change the password?

      You should do so for your own protection. Do it in writing. Don't check to see if the password has been changed, however: you could be accused of "breaking in". Just send them a letter reminding them to make the change.

      > especially since a 'professional' it outsourcing company took it over?

      Which may look around for a scapegoat after they screw up. You really don't want them to discover that a break-in occured via an account for which you, a "disgruntled former employee", had a password.

    • No its not your responsibility at all - but it is your responsibility to never try to gain access to an account you no longer have authorisation for (authorisation and ability to access are two different things, its good to have both to be in the clear).

      Why are these people trying their old accounts? What legitimate reason could they have (beyond being rehired or working as a consultant for their old employer)? I quit a long term job over a year ago, I'm pretty sure some of the public facing accounts I
    • My previous employer had a crapload of generic admin logins on the network.

      My last responsibility when I left was to disable my own account, so I'd assume that my personal username and password would no longer work.

      But I'd be very surprised if they bothered to change all those generic admin logins... I met a ton of resistance when I tried doing it while I was there.

      • by skids ( 119237 )

        Generic admin accounts are bad security policy, and bad change control policy. You were right to try to get them to change

        Sometimes these accounts are unavoidable, though, since certain vendors support only root access plus remote AAA, with no local user database capability. Unfortunately, centralized authentication is itself a security/stability problem (DoS) when you are dealing with systems that can get isolated from the AAA server or AAA server setups that are not sufficiently redundant.

        So pretty much

    • When an administrator leave we explicitly leave their root access still on, that way, admins are not likely to build security flaws in the system.
      And no, our admins are not just some guy we picked up from the streets because he knew how to release the caps lock key.

    • Comment removed based on user account deletion
      • Re:well, i can (Score:4, Insightful)

        by bzipitidoo ( 647217 ) <bzipitidoo@yahoo.com> on Thursday February 17, 2011 @10:43AM (#35232492) Journal

        Seriously. Unless you are rehired, never touch your old accounts again, no matter how well intentioned. The law is over the top on punishing evil hackers. Even if the risks seem low, the law makes it so not worth helping out should things turn sour. The least you should have is decent compensation for the risks you're taking, and to help allay suspicions of whether you could have ulterior motives.

        My last employer wanted me to continue to help out after the money ran out. So I was to keep right on doing what I had been doing, with no contract, and no pay? No way!

    • Re:well, i can (Score:4, Interesting)

      by rayd75 ( 258138 ) on Thursday February 17, 2011 @11:22AM (#35233082)

      It's certainly your responsibility to never try that password. I left an IT job at a financial institution rather abruptly a couple of years ago after a blow-up with my boss over whether I was responsible for failures in a process that she'd explicitly delegated to another group. (Just the last in a long line of ex post facto policy and procedure changes) Anyway, I never had reason to try (nor would I, given the legal and moral aspects), but for a while I suspected they'd probably disabled my accounts but missed things like router passwords, voicemail passwords, etc. that were either too obscure or too difficult to change. Later, I spoke to a former coworker and found out that they spent untold sums of money on security audits and consulting after I left. Turns out, the best way to secure an organization is to talk doom and gloom, "nothing can save us" security for a while and then leave pissed-off and shouting.
      As you might expect, once all those unfamiliar hands got into the shop, uptime went to crap. (Not good when you're dealing with other people's money) So, while I did nothing and probably didn't have any access anyway, the results for them were much the same - large cleanup bill and lost customer confidence. A moral of the story might be that while documentation, procedure, and security are all vital parts of IT, they can't substitute for a good management relationship with a competent, loyal staff. This is particularly true for organizations with IT shops on the smaller side of the staffing scale.

  • by HappyHead ( 11389 ) on Thursday February 17, 2011 @08:54AM (#35231224)

    My last action in my previous sysadmin job was to disable my own old accounts. If I find that they're accessible to me again, it means that:

    • They somehow guessed my line-noise password, and put it back on the account, or
    • They broke the servers badly, and had to restore everything from the backup I made before I left, and then were too stupid to re-do the list of admin tasks afterwards, which included disabling the accounts of three other former employees, one of which was fired for dirty dealings.
    • by kwenf ( 1531623 )

      They broke the servers badly, and had to restore everything from the backup I made before I left, and then were too stupid to re-do the list of admin tasks afterwards, which included disabling the accounts of three other former employees, one of which was fired for dirty dealings.

      I find this scenario plausible. You should check if you can access the accounts.

    • by Stenchwarrior ( 1335051 ) on Thursday February 17, 2011 @09:13AM (#35231396)
      They made you disable the access?! That's either very lazy or...well, I don't know what else. Relying on the person leaving to kill their own access is a bit like leaving the wolf to tend the chickens, no? I'm sure there are audit trails that show that if certain places in the network are accessed it can be traced back to your username, but who's to say that your particular account didn't get hacked? This only creates headaches for the IT manager later down the road. This reminds me of my brother who is very good at not working, but at a cost where he actually works harder to not work, more so than he would if he actually just fucking worked.
      • No, I made me disable access. I left because I got a (much) higher paying job in a different industry. The boss at the old place was a friend of mine, and I explained to him what I was doing and why, as well as making sure that everything was well documented for whoever they eventually had to hire to replace me when the Vice President finally admitted he couldn't also be the entire IT department for a 40 person company.
      • I disabled my own account too. Locked my own mailbox, logged on as Domain Admin, moved any documents or files which may be required by a successor out of my user area, disabled my user account, and handed the "key to the city" to the next guy, who promptly changed the Domain Admin credentials.

        It enabled a clean break, and ensured I'd be disturbed as little as possible by the next guy asking what's what.
      • My last responsibility when I left my previous job was to disable my own account. I suppose I could have left it for the next guy to do... It isn't like they were going to fire me or anything... But I wasn't actually done being the administrator there until I walked out the door, and a good admin disables accounts that aren't in use. So, I shut down my access. Disabled the account, set an auto-reply on the mailbox and forwarded mail to the new guy. Moved some important documents from my account to his

  • I have a memory that absorbs passwords. I know that two years down the track after I left one company they called me asking for the Directory Services Restore Mode password. This was all well documented when I left. From this same incident I also know that the Admin passwords and the remote connection were all still using the same settings as when I worked there.

    Not surprised in the slightest.

  • Today's top news is that network security isn't - administrators do not audit accounts or access to ensure that only authorized people can access the company's equipment.

    In other news, HB Gary is in the market for new network admins and security tools.

  • This is why it's important to implement regular audits of systems. A financial or health-care institution should do user-access audits a minimum of every 90 days. Password changes should obviously be set to a fairly regular interval as well but, and even more important, there needs to be a checklist with dummy-proof instructions for the process of removing access of any terminated employee. As systems change the procedure should change, too.
    • Re:Audits needed (Score:5, Insightful)

      by Shadow99_1 ( 86250 ) <theshadow99@gmai l . com> on Thursday February 17, 2011 @09:17AM (#35231422)

      I'm with you right up til you start talking about mandatory password changes. Research has pretty well proved by now that making people change their passwords regularly means they write them down. A written down password provides a worthless level of protection from from almost every attempt to get into a system. Statistically a person with a secure password they can remember is far more secure then any number of new passwords they cannot.

      • In an institutional setting(where a good slice of any individual's coworkers can probably obtain physical access for 10 minutes without drawing suspicion, and whatever contract cleaning service was cheapest gets absolutely insane levels of physical access, granted to the high-turnover pool of whatever poor bastards they can find to do night-shift cleaning for $not much/hour, written passwords are, indeed, just asking for it.

        In a physically secure environment, though, if you are concerned primarily with i
      • Oh I completely agree with you, but rules like those put in place by Sarbanes-Oxley and HIPAA require such changes be mandatory and those are the ones that external auditors have to follow. Management could choose to not implement those changes but then the auditor will ding them on non-compliance and a negative mark will go down for all the public world to see.
      • by DarkOx ( 621550 )

        One thing a password expiry policy does do is provide some defense in depth when other measures fail.

        Suppose its a smallish company, two or three IT people two or three HR folks. Normally when someone is hired, fired, or resigns HR sends the info over to IT ticking system; thats the prodedure. Now opps something unusal happens, a contractor for some other department needs an account. Jill in HR asks Harry in IT what to do about it because they don't have a process for this. Harry says no big deal Jill I

      • A written down password provides a worthless level of protection from from almost every attempt to get into a system.

        Wrong. 99% of attacks will come from out on the internet somewhere. Having your password written down does not make these any more dangerous. Having a good password written down is far more secure than having a memorable password that you never change.

      • by arth1 ( 260657 )

        Also, imposing password regulations severely reduces the amount of legal passwords, to the point that it makes rainbow tables more viable.
        A full rainbow table of 1-12 characters? I can't fit that. But when you say "minimum six characters, at least two upper case letters, at least two lower case letters, and at least two symbols, and no character repeated more than once", I suddenly can.

        And, of course, rigorous requirements causes employees to rotate between a fixed list of passwords, written down in all t

      • Sometimes the goal is not actually security. The goal is to comply with some regulation (PCI, HIPAA, etc.) whose authors did not understand security, but thought that monthly password changes, a 12-character minimum length, and no reuse for the last seven passwords in the history; makes for some fine theatre. Also, substitute "regulation" with "C-level exec" and you get a similar situation.

        Yes, I actually worked at a company once that had that password policy.

  • one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization.

    I suspect it's higher. People quit because they're dissatisfied, and they have options. Which means that those who stay behind are generally those who have fewer options, and now even more work. How likely are they going to be even thinking about changing passwords?

    Just this morning I got another set of

    • Re:Only 1 in 10? (Score:5, Insightful)

      by characterZer0 ( 138196 ) on Thursday February 17, 2011 @09:01AM (#35231292)

      People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.

      • by ryanov ( 193048 )

        This was one of our IT assistant director's ideas. I was uncomfortable about it from moment 1, but I did as asked. Someone about a year later looked at me like I was crazy when I said that that's what happened and told me to disable the account immediately.

        I don't know why I'd want a former employee logging in, ever.

        • Besides... it's quite trivial to reactivate the account if you ever do want to bring them back as a consultant. Or create a new account.

          Did you point that out to the IT AD when he came up with that hare-brained idea?

      • Re:Only 1 in 10? (Score:4, Insightful)

        by DrgnDancer ( 137700 ) on Thursday February 17, 2011 @09:13AM (#35231400) Homepage

        Lat place I worked (may it rot in Hell) I hired a junior admin (whom I like, and now feel really bad for accidentally screwing that way) whose previous company did that. It was a small organization and they'd only had him and another guy in IT. Every so often they'd pass him a few bills to login and fix something. Worked out well all around, he made a few extra bucks and they didn't have to do a panicked job search to replace him instantly. Definitely a terrible idea from a strict IA perspective, but it was a family owned company and they liked and trusted him (with good reason, he was a likable, trust-able guy).

      • keeping the accounts, sure, but at the very fricking least reset the password so the account isnt directly usable by anyone

        As for good terms and leaving, i am currently sitting out my last days at the current job, and i'm not in a fight with anyone, but if they call me up next month asking for my help, they better be prepared to pay me ten times what they are paying now before i even lift a finger. Even when leaving on good terms people have very good reasons to leave their job.

      • by arth1 ( 260657 )

        In my experience, accounts are often kept because the people with the technical means to do the clean-up job are seldom notified in a timely manner when someone leaves. And when they are notified, the list of auths and auths to be disabled is quite often incomplete or incorrect.
        Did I know that the former employee had created an account on a customer machine out in the field? Nope.
        Should I check all .ssh/authorized_keys on all accounts on all machines daily for unauthorized updates? Probably.

      • Re:Only 1 in 10? (Score:5, Insightful)

        by Ephemeriis ( 315124 ) on Thursday February 17, 2011 @09:51AM (#35231850)

        People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.

        At my current job, I've replaced a guy who accomplished a hell of a lot in the two years that he was here. There's a good chunk of stuff here that my boss doesn't really feel comfortable with. So he disabled my predecessor's account, instead of straight-up deleting it, in case we had to call him in for help (at which point he would have been paid as an independent contractor).

        But that account is disabled. Even though it's still got the same credentials on it, and could be re-activated and used in an emergency, it doesn't currently work. My predecessor could not log in right now if he wanted to.

        You'd have to be crazy to intentionally leave an account active and functioning after someone leaves the company.

  • If people are using passwords to log in remotely, your IT infrastructure is already broken.

    • by Spad ( 470073 )

      It doesn't have to be remote; I've working in places with 10's or 100's of physical sites where a lot of the time the old "I'm from IT, can I use one of your machines for a few minutes" is sufficient to get access.

      • Re:wtf? (Score:4, Insightful)

        by Eivind ( 15695 ) <eivindorama@gmail.com> on Thursday February 17, 2011 @09:22AM (#35231478) Homepage

        social engineering is so very simple, and so very effective, true.

        Google a mid-sized company enough to know the name, position and email-adress of an employee, and the name of one of his/her supervisors.

        "Hi, it's from [network-provider] - I got a report that you where having some trouble accessing your email, [name-of-supervisor] couldn't get at his at all today - do you have a minute to perform some tests on your account ?"

        People will gladly tell you their passwords, if it appears you know what you're doing and you know even a *tiny* bit about their environment, enough to make you seem legit.

        It's not hard.

    • by arth1 ( 260657 )

      A key is a password too.

      Just because the machine types in "ssh-dss AAAAB3N...uxIOH1" for you doesn't make it inherently more secure. If not properly managed, it's less secure, because it goes from "something you know" to "something anyone who gained access knows".

  • by elrous0 ( 869638 ) * on Thursday February 17, 2011 @09:03AM (#35231310)

    Even though that's the case (and I'm actually surprised the number isn't higher, considering my own experiences), the real revealing thing about this is that the VAST majority of IT professionals are professional enough not to take advantage of this or to retaliate against former employers. With the exception of a few high profile cases [infoworld.com], almost all IT workers do not use these backdoors for sabotage, theft, etc.

    • by Kokuyo ( 549451 )

      Why limit this to IT? The vast majority of workers can be trusted to do their jobs to the best of their knowledge. Only very few people actually try to do damage.

      Of course, that percentage grows exponentially the more you abuse your people.

      • by elrous0 ( 869638 ) *

        Considering the abuse that most IT workers take from their companies and bosses, I'm again surprised. ;-)

    • With the exception of a few high profile cases [infoworld.com], almost all IT workers do not use these backdoors for sabotage, theft, etc.

      I think you don't quite have all of your facts straight about Terry Childs. He didn't use it for sabotage/theft nor did he use a backdoor.
      Please, go inform yourself before posting again.

    • When you work in the trenches with a tight-knit group of geeks sometimes it makes sense to leave a key under the mat. I have only once used my still-active credentials, and it was to shell in from home to help a former coworker in a pinch, at his request. He was half-way driving from one location in the middle of nowhere to another, a good 30 minutes from the nearest network connectivity, so he used his cell to call me and ask me to run an urgent but simple sysadmin task for him. No problem. Part of the

  • It's always been a problem, and I see it hasn't changed. One of the things I remember from leaving one place a decade ago was just how many systems I had access to as a function of my job as a system admin, and the number of user accounts with that - including support vendor accounts. Even though I was ethical enough to tell them what I had access to, and that they needed to change all those passwords, it turned out that they didn't. I learned that when I was recalled as a contractor, and it turned out I
  • by toygeek ( 473120 ) on Thursday February 17, 2011 @09:19AM (#35231448) Journal

    I have a customer who stiffed me a few hundred bucks for sysadmin work, and he has yet to change his passwords. I doubt he even knows how. I ran across one of them a while ago and sure enough it logged me right in to the account for his colo provider. I did nothing. In fact I even notified him that he should change his password and "oh you still owe me" and never heard a word.

    "Hello, my name is Inigo Montoya. You stiffed me money. Prepare to be Pwned!"

  • I'm not that surprised by this. I still have access to the network from one of my previous jobs, but it's because they specifically wanted me to still have access in case they wanted help. At another job, it took a while for my account to be disabled because I was the guy who would have normally disabled accounts. I had assumed my boss would disable my accounts when he left, but it took him a while.

    It really wasn't that big of a deal, though. I left under amicable terms, and even if I hadn't, I'm a pr

  • 10+% of IT "Pros" aren't really that professional if they're going back to their old accounts to see if they can get in.

    The computers of companies where I used to work are beyond the event horizon. I would never even try to log into them without some kind of written request for my former employer.

    • 10+% of IT "Pros" aren't really that professional if they're going back to their old accounts to see if they can get in.

      The computers of companies where I used to work are beyond the event horizon. I would never even try to log into them without some kind of written request for my former employer.

      Yup.

      I wasn't that impressed with my replacement at my previous employer. I wouldn't be surprised to find out that he hadn't changed the domain credentials. I wouldn't be surprised to find out I could still log in to their network.

      But I haven't tried. And I'm not going to. And I wouldn't even with a written request (screw them).

      I'm more surprised that there are that many IT "Pros" out there who have actually tried to log in to a previous employer's systems. Not terribly professional, in my opinion...

      • I wouldn't be surprised if that 10% is more a theoretical number of "could" log in if necessary than "did" log in. I think it shows how trustworthy IT professionals are as a group.
        • I wouldn't be surprised if that 10% is more a theoretical number of "could" log in if necessary than "did" log in. I think it shows how trustworthy IT professionals are as a group.

          In which case, I'm wondering why they think they can, if they didn't try it?

          Are they just assuming that their replacement is incompetent? Did they intentionally leave a back door that they assume is still there?

          I wasn't much impressed with my replacement at my previous job. I wouldn't be surprised if some of the admin accounts haven't been changed. I wouldn't be surprised if I was able get in to my old employer's network. But I don't know that I actually can. And I certainly wouldn't have answered in t

          • A lot depends on what the individual has done in his position. There could be master passwords for networking equipment, and changing those passwords should be trivial, but it could impact monitoring scripts. And really, automated scripts are where closing accounts or changing passwords could bite a new administrator in the ass. Who knows what hidden problems could crop up once you make a change, and since you can't read the current password, some of those broken scripts could end up unfixable without a
      • by osgeek ( 239988 )

        But I haven't tried. And I'm not going to. And I wouldn't even with a written request (screw them).

        Well, the request has to be written in the memo field of a check paying me for my time.

  • by grapeape ( 137008 ) <mpope7.kc@rr@com> on Thursday February 17, 2011 @09:27AM (#35231530) Homepage

    Last year I actually lost a client for being too security conscious. They were a part-time client and only usually called me when it was an absolute emergency...most of the time when a problem happened they would try and fix it themselves, make it worse then call me. I tried to talk them into letting me come in once a month to patch and update on a scheduled basis. I was told I was trying to fleece them and pad my hours and that they felt they needed to take IT in another direction.

    Nearly a year later I am still receiving backup notices, a few ,months back I found out accidentally that the root password hadn't changed when I ran a maintenance script that I used to do a resources audit, forgot to change the account info to a different client. I called them right away and instead of "thanks we will take care of it" I was told that I was hacking and that if I didn't stop they would report it to the police. I even tried talking to their new IT guy (one of the owners nephews) but he told me he was not allowed to speak to me and hung up.

    I'm actually worried about the former client but am completely at my wits end about what I can do about it and frankly i'm worried that when the inevitable happens the first person they will attempt to blame for any disaster is going to be me. For now all I have been able to do is document my efforts to get them to fix the issue.

    • Document everything and send them an email. CC yourself on an account you can't modify on the backend to forge date/time (like yahoo, etc.). Then promptly forget about the client and destroy any data of theirs you still have. They're not paying you any more. Quit worrying about them.
      • It also might not hurt to print out the same info and send it to yourself through the paper mail. Leave the envelope sealed. The postmark will be your proof of the date. A lot of people tend not to trust electronic records (or may not understand well enough to know they should trust them).

  • by bl8n8r ( 649187 ) on Thursday February 17, 2011 @09:28AM (#35231538)
    When I leave a place, or a contract is over, I usually work it into an email to request my credentials be removed, or account disabled.  When something goes wrong, the first thing everyone does is point a finger at the last person that left.  If my account has been disabled, it's pretty easy for me to prove my innocence and not waste time trying to convince anyone.  Also puts a little more weight into your argument when you produce an account revocation document which a company was negligent in following through with.  Doesn't sound like much, but makes a *huge* difference when the witch hunt starts.
    • Not only that, but what happens if, after you leave, someone hacks their system and just so happens uses your account to do so? That's not going to look good, no matter how much you claim to be innocent.

  • 6 out of 10..... (Score:4, Interesting)

    by Lumpy ( 12016 ) on Thursday February 17, 2011 @09:48AM (#35231810) Homepage

    Have copies of companies assets in their possession. OR physical assets of the company still in their possession.

    I was cleaning out some junk data the past weekend, went through my archive of 900+ CD-R's of the past 14 years and found several discs that I shredded as they contained company data from old employers. I also found a binder with a printout of some sourcecode that was for a old job from before 1995.

    I dont worry about the guy that can access a server at work, I worry about the guy that leaves the job with a 64gb thumb drive that has the entire customer database on it.

    • Where did you get the "6 out of 10 ... Have copies of companies assets in their possession. OR physical assets of the company still in their possession." quote? I didn't see it in the linked article, and even if it was, could a paperclip or pen be considered a "company asset in their possession"?

      I do agree that people stealing confidential databases (or losing laptops with that data) are the bigger threats.
    • I dont worry about the guy that can access a server at work, I worry about the guy that leaves the job with a 64gb thumb drive that has the entire customer database on it.

      You hit the nail square on the head there. I have access to several former employers; I even have access to one site where I shut off my own access before I walked out the door. But then my replacement did not work out and they begged me to help them find out what was going on...I had to come back into the building and hack into my old servers with a boot disk to restore my access and undo the work of my "successor".

      Generally, a true IT professional can be trusted after they leave, because if they wanted

  • It's quite common (Score:5, Interesting)

    by ledow ( 319597 ) on Thursday February 17, 2011 @10:04AM (#35232020) Homepage

    Most places will happily give you every password in the world when you start a job there. And sometimes the "intermediate" stage between you leaving and someone else doing your job is filled with outside contractors and random people who "need" your passwords.

    Whenever I leave an employer, I make a BIG list of everything I know in terms of passwords, passcodes, keys, etc. and compile it on paper or a CD. I put literally everything in there, even down to little foibles of the system and the reasoning for strange configurations. I then furnish the boss with one copy of that CD, hand him another copy to "put in a safe place" (usually a safe) and then leave.

    I did this at my last workplace. They were getting increasingly silly and employing people with zero expertise, and I already had another job already lined up so my entire notice period was spent house-cleaning and compiling lists while taking care of the mundane jobs.

    Technically I reported only to the headteacher of the school in question, having been employed by him without any formal assignment in a staffing structure (to the point where the local borough phoned up to complain that I was earning too much for any of their pay-scales and had to be put on my own unique one).

    When I left, there was no replacement for me (because they weren't interested in employing the only guy out of all the candidates that *could* do my job because he had formerly worked in Tesco's supermarket rather than sit on his arse in the middle of a recession) so I handed off to the headteacher. This immediately caused an argument because one of the new staff who was the new "second-in-command" there (and that decision was partly responsible for me wanting to leave in the first place!) DEMANDED the "admin password for the network".

    He wasn't an IT guy. He knew nothing about computers at all. He just wanted it because he was sure that the dozens of digital voice recorders that he'd bought on a whim (without IT authorisation) could be made compatible with the non-networkable, kiddified, decades-old audio editing software he'd bought on a whim (without IT authorisation) on the network he didn't know how to manage, no matter how many times I told him they were incompatible. He was convinced that if he somehow got the "magic" administrator's password and then let 1000 kids loose with it so they could listen to themselves talking, it would solve his problems with not teaching part of the IT curriculum.

    Obviously I must have been deliberately lying when his DRM'd-AAC-only recorders couldn't be opened in a program that only took WAV's (not even MP3's!) and that an intermediate conversion step (which he DEMANDED shouldn't be necessary and refused to use) was required.

    Apart from the fact there were three networks, there were dozens of different passwords, and he wasn't getting *ANY* of their passwords until I was way outside the building and long gone, I had a duty to protect the information secured by those passwords (information on kids, people's salaries etc.). If you read the rules precisely, that means that I had to hand off ONLY to the headteacher, who could then hand off passwords to others as they saw fit.

    So I did just that, in the process making my own day by telling the guy "No." even if he WAS second-in-command there (he didn't seem to understand that I didn't report to him, no matter what he thought of that idea). He was rather miffed. I also, with the head's permission, gave a copy of the CD to the lead governor of the school who was a big-iron IT guy for his day-job, that we both knew we could trust - he would be fixing any major issues that occurred in the school until they could find a replacement and he was there to sign-off on my hand-over.

    A week later, a phone call from the second-in-command. He'd got the administrator password, tried it out on several PC's and couldn't do what he wanted (ignoring the fact that he wasn't using ANY of the network software management that we had in place). So he demanded that I give

  • Quest. (Score:4, Insightful)

    by saintlupus ( 227599 ) on Thursday February 17, 2011 @10:24AM (#35232274)

    If only the company who commissioned this survey happened to sell a bunch of account and identity management tools.... Oh, they do? What luck!

  • The company I'm currently working at hasn't changed the alarm system code in 10 years. They've fired several vengeful people in that time, plus we've never modernized with a facility access logging/keycard system. Yep, 200 employees all use the exact same master key that opens every door in the company.

    A former employee with a copy of their physical key could access a nearby building undetected; disable the alarm; and shut down a major fiber backbone line between Salt Lake and Las Vegas.

  • If I had to guess, I'd bet there was an account left over at a former employer, but there's no way I would check, even for curiosity. Seems like they might be dumb enough to leave a hole, lucky enough to notice the access, and vicious enough to make a legal issue of it. I know they were too dumb to disable the notices to my mobile phone when a NAS went into panic 2 months after they laid me off. I called to tell them about the problem before their contract "IT guy" arrived for the day.

"jackpot: you may have an unneccessary change record" -- message from "diff"

Working...