Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

10% of IT Pros Can Access Previous Jobs' Accounts

CmdrTaco posted more than 3 years ago | from the still-fixing-tickets-too dept.

Security 218

dinscott writes "According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users' electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. It's no wonder then that half of them are concerned about insider threats to network security in their company's current infrastructure! But one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization."

cancel ×

218 comments

well, i can (4, Interesting)

gblfxt (931709) | more than 3 years ago | (#35231206)

but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?

I don't know who leaked your data (0)

Anonymous Coward | more than 3 years ago | (#35231374)

And besides, you can't prove anything

Re:well, i can (2)

Stenchwarrior (1335051) | more than 3 years ago | (#35231462)

Fuck no its not. And I'd have a hard time not getting behind some proxy and doing something bad, in your case. Unless I'm reading you wrong and it wasn't a sour situation for you.

Re:well, i can (2)

gblfxt (931709) | more than 3 years ago | (#35231560)

i am a professional, and i understood that they thought i was overpaid (especially since after i was there for 2 years, there were hardly any network issues). i don't wish them harm, but i would like to at least hire a competent IT outsourcing company to replace me, so I know my 2 years of work ended up in good hands... :)

Re:well, i can (1)

stealth_finger (1809752) | more than 3 years ago | (#35231784)

(especially since after i was there for 2 years, there were hardly any network issues)

Surely that can only mean you were doing your job well.

Re:well, i can (2)

Toe, The (545098) | more than 3 years ago | (#35232000)

No, no, no. It's like paying for insurance...

I only buy insurance policies the day before I intend to get in an accident, decide to get robbed, elect to have my house destroyed by a tornado, etc.

It is much more cost-effective that way.

Re:well, i can (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35232110)

(especially since after i was there for 2 years, there were hardly any network issues)

Surely that can only mean you were doing your job well.

Unfortunately, this is not the way of user psychology...

By default, all complex network setups work perfectly(It said "enterprise" right on the box, dinn'it?). If yours does not work perfectly, that is because your IT department is incompetent. If yours does work perfectly, this implies that your IT department is slacking off and playing video games, and should probably be fired and replaced by something cheaper.

Re:well, i can (5, Insightful)

John Hasler (414242) | more than 3 years ago | (#35231510)

> but is it my responsibility to suggest they change the password?

You should do so for your own protection. Do it in writing. Don't check to see if the password has been changed, however: you could be accused of "breaking in". Just send them a letter reminding them to make the change.

> especially since a 'professional' it outsourcing company took it over?

Which may look around for a scapegoat after they screw up. You really don't want them to discover that a break-in occured via an account for which you, a "disgruntled former employee", had a password.

Re:well, i can (0)

Anonymous Coward | more than 3 years ago | (#35231566)

You really don't want them to discover that a break-in occured via an account for which you, a "disgruntled former employee", had a password.

Sure I do. I didn't do it, so they can't prove I did. And I get to rub it in their faces- "You fired me, a competent employee, and hired some losers who can't even change a password. What idiots!!".

Re:well, i can (3, Insightful)

mysidia (191772) | more than 3 years ago | (#35231626)

Sure I do. I didn't do it, so they can't prove I did. And I get to rub it in their faces- "You fired me, a competent employee, and hired some losers who can't even change a password. What idiots!!".

The best thing to do in such circumstances is probably to just let yourself forget what your old password is. Providing you were smart, it is a strong password, and difficult to remember, it will be forgotten eventually.

Just don't try to remember it or use any new password similar to it.

Re:well, i can (1)

jslater25 (1005503) | more than 3 years ago | (#35231892)

Exactly. I suggested to one of the higher ups that they should make sure ALL passwords were changed, including (but not limited to) VPN access, Outlook 'master account' access, Server passwords, local user logins, and domain account access. I seriously doubt that this was done, and if it was done, I doubt it was done in a timely fashion. When half the IT department leaves within 2 weeks, the other half is left scrambling and the management is typically too stupid to know what to do. Personally, I didn't see any point in ever checking to see if my previous passwords were changed. It was no longer my responsibility.

Re:well, i can (1)

buglista (1967502) | more than 3 years ago | (#35232308)

Yep - that's exactly why I kept on at ex-colleagues to change the root password for months after I left one gig.

Re:well, i can (1)

mysidia (191772) | more than 3 years ago | (#35231578)

but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?

The problem is 'suggesting they changed the password' is proof that although you no longer work for them, you tried using your credentials to regain access to their system.

If they are dicks, they might call up the police and press charges for unauthorized access to their computer system, even if you think you're just trying to be helpful, testing to make sure your creds are no longer valid.

Re:well, i can (1)

Warskull (846730) | more than 3 years ago | (#35232224)

but is it my responsibility to suggest they change the password? especially since a 'professional' it outsourcing company took it over?

The problem is 'suggesting they changed the password' is proof that although you no longer work for them, you tried using your credentials to regain access to their system.

If they are dicks, they might call up the police and press charges for unauthorized access to their computer system, even if you think you're just trying to be helpful, testing to make sure your creds are no longer valid.

This! In this case, suggesting they fix can do nothing good for you and they can potentially try to have you prosecuted for unauthorized access. You know you were fired, the letter proves you know that you aren't supposed to be able to access the systems, and it also proves you accessed the system. They won't have an epiphany and hire you back if you point out security flaws, in fact it is more likely they will shoot the messenger. Best case you get a thanks from a company that thinks IT is overpaid and screwed you over. Worst case they attempt to make your life miserable. Furthermore, if you still have access, how many other holes are still sitting around their network? Who else still has access? They don't need a letter helping them plug up a single hole, they need someone like you fixing their security, which ironically they don't have anymore.

Re:well, i can (1)

Richard_at_work (517087) | more than 3 years ago | (#35231582)

No its not your responsibility at all - but it is your responsibility to never try to gain access to an account you no longer have authorisation for (authorisation and ability to access are two different things, its good to have both to be in the clear).

Why are these people trying their old accounts? What legitimate reason could they have (beyond being rehired or working as a consultant for their old employer)? I quit a long term job over a year ago, I'm pretty sure some of the public facing accounts I had there would never have been shut down after I left (but all were disclosed to the other members in my team when I left), but Ive never tried to access them - I wouldn't dream of it, unless they asked me to do some work and confirmed I had authorisation to log back in.

A related question.. (1)

biodata (1981610) | more than 3 years ago | (#35231680)

Is it my responsibility not to disclose my password to anyone else, after I have left?

Re:A related question.. (1)

gblfxt (931709) | more than 3 years ago | (#35231760)

i left a full list of admin passwords for all network devices, they just chose not to change alot of them, or didn't know how to change them. again, im not sure why this is on my shoulders, and not on the incompetent IT oursourcers. what have they done that is so perfect?

Re:well, i can (1)

Ephemeriis (315124) | more than 3 years ago | (#35231750)

My previous employer had a crapload of generic admin logins on the network.

My last responsibility when I left was to disable my own account, so I'd assume that my personal username and password would no longer work.

But I'd be very surprised if they bothered to change all those generic admin logins... I met a ton of resistance when I tried doing it while I was there.

Re:well, i can (1)

skids (119237) | more than 3 years ago | (#35231912)

Generic admin accounts are bad security policy, and bad change control policy. You were right to try to get them to change

Sometimes these accounts are unavoidable, though, since certain vendors support only root access plus remote AAA, with no local user database capability. Unfortunately, centralized authentication is itself a security/stability problem (DoS) when you are dealing with systems that can get isolated from the AAA server or AAA server setups that are not sufficiently redundant.

So pretty much you just have to grunt or script through changing a bunch of accounts on a bunch of systems. In many cases, you only have limited churn on the admin accounts so it's actually less effort than debugging each system's AAA nuances anyway. Also keeping a record of accounts and a staff change procedure is just good practice.

Re:well, i can (0)

Anonymous Coward | more than 3 years ago | (#35232254)

AAA? What on earth does that mean?

Re:well, i can (1)

Ephemeriis (315124) | more than 3 years ago | (#35232330)

AAA? What on earth does that mean?

http://en.wikipedia.org/wiki/AAA_protocol [wikipedia.org]

Kind of surprised you're asking that here on Slashdot...

Re:well, i can (1)

kthreadd (1558445) | more than 3 years ago | (#35231764)

When an administrator leave we explicitly leave their root access still on, that way, admins are not likely to build security flaws in the system.
And no, our admins are not just some guy we picked up from the streets because he knew how to release the caps lock key.

Re:well, i can (1)

DigiShaman (671371) | more than 3 years ago | (#35231832)

Well, IT professionals should always adhere to proper conduct. Just because you can access resources from a previous employer (unauthorized) doesn't mean you should. Besides, it could be a liability to you just in case that outsourced group decides to audit log files and use you as the scape goat for their screw ups. Either way, it's in your best interest to purge from your mind whatever user accounts you used to know but no longer have authorization for.

Re:well, i can (1)

Toe, The (545098) | more than 3 years ago | (#35232044)

but is it my responsibility to suggest they change the password?

It was your responsibility to disable your password or arrange for its termination while you were still employed there.

The fact that it is not disabled appears to be a failure on your part to enforce good IT policy while you were on the job.

Re:well, i can (1)

gblfxt (931709) | more than 3 years ago | (#35232256)

i did disable my logon, it was the generic network admin logins that they did not change, even though i listed them and suggested they change them.

Only 10% (1)

Anonymous Coward | more than 3 years ago | (#35231218)

Admin
Passw0rd

I'd better not be able to... (4, Interesting)

HappyHead (11389) | more than 3 years ago | (#35231224)

My last action in my previous sysadmin job was to disable my own old accounts. If I find that they're accessible to me again, it means that:

  • They somehow guessed my line-noise password, and put it back on the account, or
  • They broke the servers badly, and had to restore everything from the backup I made before I left, and then were too stupid to re-do the list of admin tasks afterwards, which included disabling the accounts of three other former employees, one of which was fired for dirty dealings.

Re:I'd better not be able to... (2)

kwenf (1531623) | more than 3 years ago | (#35231260)

They broke the servers badly, and had to restore everything from the backup I made before I left, and then were too stupid to re-do the list of admin tasks afterwards, which included disabling the accounts of three other former employees, one of which was fired for dirty dealings.

I find this scenario plausible. You should check if you can access the accounts.

Re:I'd better not be able to... (1)

malignant_minded (884324) | more than 3 years ago | (#35231372)

Do you really want to be on the logs trying to access using your account? Not that someone that incompetent to disable the accounts would actively go through logs but why risk it. I bet a lot of the times when someone takes over they have a list of accounts and no one knows what does what or what job was created using that account so don't break what isn't broken "I got more pressing shit to do".

Re:I'd better not be able to... (4, Insightful)

somersault (912633) | more than 3 years ago | (#35231534)

I hate when people don't actually tell me that an employee has left. Last week someone was like "did you know that Elaine is back already?" and I was suprised to hear that she'd even left. Sure, come to me when you need a new account, but if someone leaves nobody says a thing. In fact I'm going to email our new HR dept right now, it should be part of the procedure when people leave..

Re:I'd better not be able to... (4, Insightful)

Stenchwarrior (1335051) | more than 3 years ago | (#35231396)

They made you disable the access?! That's either very lazy or...well, I don't know what else. Relying on the person leaving to kill their own access is a bit like leaving the wolf to tend the chickens, no? I'm sure there are audit trails that show that if certain places in the network are accessed it can be traced back to your username, but who's to say that your particular account didn't get hacked? This only creates headaches for the IT manager later down the road. This reminds me of my brother who is very good at not working, but at a cost where he actually works harder to not work, more so than he would if he actually just fucking worked.

Re:I'd better not be able to... (1)

HappyHead (11389) | more than 3 years ago | (#35231454)

No, I made me disable access. I left because I got a (much) higher paying job in a different industry. The boss at the old place was a friend of mine, and I explained to him what I was doing and why, as well as making sure that everything was well documented for whoever they eventually had to hire to replace me when the Vice President finally admitted he couldn't also be the entire IT department for a 40 person company.

Re:I'd better not be able to... (2)

L4t3r4lu5 (1216702) | more than 3 years ago | (#35231458)

I disabled my own account too. Locked my own mailbox, logged on as Domain Admin, moved any documents or files which may be required by a successor out of my user area, disabled my user account, and handed the "key to the city" to the next guy, who promptly changed the Domain Admin credentials.

It enabled a clean break, and ensured I'd be disturbed as little as possible by the next guy asking what's what.

Re:I'd better not be able to... (0)

Anonymous Coward | more than 3 years ago | (#35231870)

When I left my last job, I told my boss I had terminated my access, and he asked me to re-enable my VPN account in case they had any problems and needed me to fix something. The crazy thing is that they were so hung up on security on everything else that some of the upper management would keep important documents on a floppy disk in the filing cabinet because "It can't be stolen if it isn't online"!

Re:keep important documents on a floppy disk (1)

DocSavage64109 (799754) | more than 3 years ago | (#35232080)

The crazy thing is that they were so hung up on security on everything else that some of the upper management would keep important documents on a floppy disk in the filing cabinet because "It can't be stolen if it isn't online"!

That's funny. I've seen dozens of instances of floppy discs becoming unreadable. The best is when it's towards the end of a 23 or so disc MS Office install.

Re:I'd better not be able to... (1)

Ephemeriis (315124) | more than 3 years ago | (#35231806)

My last responsibility when I left my previous job was to disable my own account. I suppose I could have left it for the next guy to do... It isn't like they were going to fire me or anything... But I wasn't actually done being the administrator there until I walked out the door, and a good admin disables accounts that aren't in use. So, I shut down my access. Disabled the account, set an auto-reply on the mailbox and forwarded mail to the new guy. Moved some important documents from my account to his. Things like that.

Then I handed him the domain admin credentials and walked out the door.

If he's a good amin he then double-checked to make sure that my account was disabled and changed the domain admin credentials to make sure I couldn't abuse them. He would have taken a look at my user shares and made sure there wasn't anything he needed in there. He would have done a quick audit to make sure I hadn't do anything suspicious over the last week or two.

But, honestly, I doubt if he did. He didn't impress me at all. I bet I could still log in to their network with the domain admin password.

Not surprised (2)

dwarfsoft (461760) | more than 3 years ago | (#35231226)

I have a memory that absorbs passwords. I know that two years down the track after I left one company they called me asking for the Directory Services Restore Mode password. This was all well documented when I left. From this same incident I also know that the Admin passwords and the remote connection were all still using the same settings as when I worked there.

Not surprised in the slightest.

Re:Not surprised (1)

donotlizard (1260586) | more than 3 years ago | (#35231404)

A former employer of mine administered our user name and password, so we weren't able to change anything. My user name was FirstName LastName and the password was LastName123. Not very imaginative, especially since they use Microsoft Exchange. Anyone could type in http://mailserver.companyname.com/ [companyname.com] visit their company website to get an employee's first and last name and log on to the mailserver.

Make transparency, leak data. Secrecy breeds abuse (0)

Anonymous Coward | more than 3 years ago | (#35231624)

Let's have full transparency and accountability. Enough of having a society of secrets. Now is the time for opening secrets. Secrecy breeds abuse.

/. News Networks (1)

Even on Slashdot FOE (1870208) | more than 3 years ago | (#35231232)

Today's top news is that network security isn't - administrators do not audit accounts or access to ensure that only authorized people can access the company's equipment.

In other news, HB Gary is in the market for new network admins and security tools.

Audits needed (1)

Stenchwarrior (1335051) | more than 3 years ago | (#35231242)

This is why it's important to implement regular audits of systems. A financial or health-care institution should do user-access audits a minimum of every 90 days. Password changes should obviously be set to a fairly regular interval as well but, and even more important, there needs to be a checklist with dummy-proof instructions for the process of removing access of any terminated employee. As systems change the procedure should change, too.

Re:Audits needed (4, Insightful)

Shadow99_1 (86250) | more than 3 years ago | (#35231422)

I'm with you right up til you start talking about mandatory password changes. Research has pretty well proved by now that making people change their passwords regularly means they write them down. A written down password provides a worthless level of protection from from almost every attempt to get into a system. Statistically a person with a secure password they can remember is far more secure then any number of new passwords they cannot.

Re:Audits needed (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35232278)

In an institutional setting(where a good slice of any individual's coworkers can probably obtain physical access for 10 minutes without drawing suspicion, and whatever contract cleaning service was cheapest gets absolutely insane levels of physical access, granted to the high-turnover pool of whatever poor bastards they can find to do night-shift cleaning for $not much/hour, written passwords are, indeed, just asking for it.

In a physically secure environment, though, if you are concerned primarily with internet threats(as with, say, home banking) an excellent written password can be a perfectly decent strategy(particularly if you do something like remember an ok password, then append the written-down 20-character-line-noise one... Even a breakin won't get somebody what they need...).

Ultimately, though, if it is really that important, you should probably suck it up and go with some flavor of cryptographic token + password. They aren't terribly inexpensive, and everybody hates them; but they are better.

Security - secrets - abuse (0)

Anonymous Coward | more than 3 years ago | (#35231814)

Higher security limits access to regular people. Provides exclusive access to a few. And to an elite of security people. Both will use their power to their advantage, and people's disadvantage. Secret information is secret weapons. Produce democracy. Publish the data.

Re:Audits needed (0)

Anonymous Coward | more than 3 years ago | (#35231880)

As an external IT auditor, I can say that financial institutions take this matter quite seriously. Although quarterly reviews are not that common, most of the ones I worked with review access rights at least bi-annually. That said, I have also seen some smaller institutions not bothering with reviews of either their network domain and remote access rights - especially if they don't have a dedicated IT Department.

Nowadays, password change is enforced by default by most popular systems, so if it's not in place that usually means someone deliberately turned it off.

I think your last point is the most important one - a good process of removing access of any terminated employee. And I would like to stress out that timely removal is imperative - nothing can hurt you more than a disgrunted employee coming back home from a bar after being let go, logging on remotely to your systems and going berzerk.

My 2 cents.

How do they know? (0)

Anonymous Coward | more than 3 years ago | (#35231254)

I suspect that my old accounts are still active but I've never checked. It's unlikely that anyone would notice but there are harsh laws against it.

It would be interesting to know what proportion of accounts are still active amongst people who've looked. I'd expect it to be more than 10%.

Only 1 in 10? (1)

tomhudson (43916) | more than 3 years ago | (#35231274)

one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization.

I suspect it's higher. People quit because they're dissatisfied, and they have options. Which means that those who stay behind are generally those who have fewer options, and now even more work. How likely are they going to be even thinking about changing passwords?

Just this morning I got another set of auto-emailed warning messages from a server where I used to work - and yes, I told them to take me off the list and change the passwords. Since I'm still on the list, how much you want to bet they don't even know how to change a password?

Re:Only 1 in 10? (4, Insightful)

characterZer0 (138196) | more than 3 years ago | (#35231292)

People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.

Re:Only 1 in 10? (2)

ryanov (193048) | more than 3 years ago | (#35231360)

This was one of our IT assistant director's ideas. I was uncomfortable about it from moment 1, but I did as asked. Someone about a year later looked at me like I was crazy when I said that that's what happened and told me to disable the account immediately.

I don't know why I'd want a former employee logging in, ever.

Re:Only 1 in 10? (1)

realityimpaired (1668397) | more than 3 years ago | (#35231514)

Besides... it's quite trivial to reactivate the account if you ever do want to bring them back as a consultant. Or create a new account.

Did you point that out to the IT AD when he came up with that hare-brained idea?

Re:Only 1 in 10? (1)

kilfarsnar (561956) | more than 3 years ago | (#35231776)

My thoughts exactly. And thanks for spelling hare-brained correctly!

Re:Only 1 in 10? (3, Insightful)

DrgnDancer (137700) | more than 3 years ago | (#35231400)

Lat place I worked (may it rot in Hell) I hired a junior admin (whom I like, and now feel really bad for accidentally screwing that way) whose previous company did that. It was a small organization and they'd only had him and another guy in IT. Every so often they'd pass him a few bills to login and fix something. Worked out well all around, he made a few extra bucks and they didn't have to do a panicked job search to replace him instantly. Definitely a terrible idea from a strict IA perspective, but it was a family owned company and they liked and trusted him (with good reason, he was a likable, trust-able guy).

Re:Only 1 in 10? (1)

Vectormatic (1759674) | more than 3 years ago | (#35231460)

keeping the accounts, sure, but at the very fricking least reset the password so the account isnt directly usable by anyone

As for good terms and leaving, i am currently sitting out my last days at the current job, and i'm not in a fight with anyone, but if they call me up next month asking for my help, they better be prepared to pay me ten times what they are paying now before i even lift a finger. Even when leaving on good terms people have very good reasons to leave their job.

Re:Only 1 in 10? (1)

arth1 (260657) | more than 3 years ago | (#35231486)

In my experience, accounts are often kept because the people with the technical means to do the clean-up job are seldom notified in a timely manner when someone leaves. And when they are notified, the list of auths and auths to be disabled is quite often incomplete or incorrect.
Did I know that the former employee had created an account on a customer machine out in the field? Nope.
Should I check all .ssh/authorized_keys on all accounts on all machines daily for unauthorized updates? Probably.

Re:Only 1 in 10? (4, Insightful)

Ephemeriis (315124) | more than 3 years ago | (#35231850)

People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.

At my current job, I've replaced a guy who accomplished a hell of a lot in the two years that he was here. There's a good chunk of stuff here that my boss doesn't really feel comfortable with. So he disabled my predecessor's account, instead of straight-up deleting it, in case we had to call him in for help (at which point he would have been paid as an independent contractor).

But that account is disabled. Even though it's still got the same credentials on it, and could be re-activated and used in an emergency, it doesn't currently work. My predecessor could not log in right now if he wanted to.

You'd have to be crazy to intentionally leave an account active and functioning after someone leaves the company.

wtf? (1)

Lord Bitman (95493) | more than 3 years ago | (#35231282)

If people are using passwords to log in remotely, your IT infrastructure is already broken.

Re:wtf? (1)

Spad (470073) | more than 3 years ago | (#35231338)

It doesn't have to be remote; I've working in places with 10's or 100's of physical sites where a lot of the time the old "I'm from IT, can I use one of your machines for a few minutes" is sufficient to get access.

Re:wtf? (3, Insightful)

Eivind (15695) | more than 3 years ago | (#35231478)

social engineering is so very simple, and so very effective, true.

Google a mid-sized company enough to know the name, position and email-adress of an employee, and the name of one of his/her supervisors.

"Hi, it's from [network-provider] - I got a report that you where having some trouble accessing your email, [name-of-supervisor] couldn't get at his at all today - do you have a minute to perform some tests on your account ?"

People will gladly tell you their passwords, if it appears you know what you're doing and you know even a *tiny* bit about their environment, enough to make you seem legit.

It's not hard.

Re:wtf? (2)

arth1 (260657) | more than 3 years ago | (#35231552)

A key is a password too.

Just because the machine types in "ssh-dss AAAAB3N...uxIOH1" for you doesn't make it inherently more secure. If not properly managed, it's less secure, because it goes from "something you know" to "something anyone who gained access knows".

This is telling (2)

elrous0 (869638) | more than 3 years ago | (#35231310)

Even though that's the case (and I'm actually surprised the number isn't higher, considering my own experiences), the real revealing thing about this is that the VAST majority of IT professionals are professional enough not to take advantage of this or to retaliate against former employers. With the exception of a few high profile cases [infoworld.com] , almost all IT workers do not use these backdoors for sabotage, theft, etc.

Re:This is telling (0)

Anonymous Coward | more than 3 years ago | (#35231332)

You are surprised that the majority of people aren't vindictive jerks?

Re:This is telling (1)

Stenchwarrior (1335051) | more than 3 years ago | (#35231428)

That's not what he said. the real revealing thing about this is that the VAST majority of IT professionals are professional enough not to take advantage.

He was surprised at the number of logins left open, not that people didn't use them in malicious ways.

Re:This is telling (1)

Vectormatic (1759674) | more than 3 years ago | (#35231480)

given what some corporations/bosses pull which ends up with people quiting their jobs, yes

Re:This is telling (1)

elrous0 (869638) | more than 3 years ago | (#35231550)

Considering the numbers we're talking here, it's more accurate to say that almost *no one* is a vindictive jerk. And yes, that does surprise me. If a significant number of IT people are using these backdoors for nastiness they're either covering their tracks very well, or the companies are keeping quiet about it (both possibilities, I suppose).

Re:This is telling (1)

kilfarsnar (561956) | more than 3 years ago | (#35232048)

I have retained access to two companies after I left (I don't have the access anymore). I was pretty pissed at one at the time; I was laid off. I briefly considered sabotage, but quickly made the calculation that it just wasn't worth it. I would just have been making more work for my former colleagues, whom I still liked. And if I really went nuclear, and was caught, I would have been in really hot water. A lot of people probably realize that the risk just isn't worth the schadenfreude.

Re:This is telling (1)

Kokuyo (549451) | more than 3 years ago | (#35231504)

Why limit this to IT? The vast majority of workers can be trusted to do their jobs to the best of their knowledge. Only very few people actually try to do damage.

Of course, that percentage grows exponentially the more you abuse your people.

Re:This is telling (1)

tboulay (458216) | more than 3 years ago | (#35231588)

Even though that's the case (and I'm actually surprised the number isn't higher, considering my own experiences), the real revealing thing about this is that the VAST majority of IT professionals are professional enough not to take advantage of this or to retaliate against former employers. With the exception of a few high profile cases [infoworld.com] , almost all IT workers do not use these backdoors for sabotage, theft, etc.

I'd have to agree with this. I'm really surprised that the number isn't higher. I guess it depends on how diverse of a group they're including in the over arching term "IT professionals". I'd guess that if we were limiting ourselves to server/network administrators the number would be much much higher. Personally, I have not tried, but I'd put any amount of money someone wanted to wager on my being able to gain the highest level access available at my previous employment in a matter of minutes.

This is simply from the fact that I know the architecture of the network in detail, as well as the attitude towards security.

Re:This is telling (2)

Galestar (1473827) | more than 3 years ago | (#35231596)

With the exception of a few high profile cases [infoworld.com], almost all IT workers do not use these backdoors for sabotage, theft, etc.

I think you don't quite have all of your facts straight about Terry Childs. He didn't use it for sabotage/theft nor did he use a backdoor.
Please, go inform yourself before posting again.

To lend a hand when needed. (1)

drenehtsral (29789) | more than 3 years ago | (#35231860)

When you work in the trenches with a tight-knit group of geeks sometimes it makes sense to leave a key under the mat. I have only once used my still-active credentials, and it was to shell in from home to help a former coworker in a pinch, at his request. He was half-way driving from one location in the middle of nowhere to another, a good 30 minutes from the nearest network connectivity, so he used his cell to call me and ask me to run an urgent but simple sysadmin task for him. No problem. Part of the professionalism of the job is being willing to stand by your work and your coworkers even years down the road.

Changing the locks (1)

Anonymous Coward | more than 3 years ago | (#35231312)

It's not much of a surprise that IT departments are sloppy with their security practices. The rational action would be to change the passwords when somebody leaves the department. But IT folks (I'll over-generalize and accuse everybody) are often more concerned about their user's practices than their own. Someone I know got a phone call recently from a person at a company she retired from in 2006. The caller asked if she remembered a password from one of the company's key business systems. Duh. Then there are the IT departments that leave the admin password set to the vendor's default. Duh. When I worked for TWA in the 70's the all-powerful user ID for the reservation system was 1234TW, and so was the password. Duh.

This got me hired by Anonymous (0)

Anonymous Coward | more than 3 years ago | (#35231352)

It was my previous employment at a "security firm" that got me hired by Anonymous. ;)

Not surprised at all (1)

NorbrookC (674063) | more than 3 years ago | (#35231364)

It's always been a problem, and I see it hasn't changed. One of the things I remember from leaving one place a decade ago was just how many systems I had access to as a function of my job as a system admin, and the number of user accounts with that - including support vendor accounts. Even though I was ethical enough to tell them what I had access to, and that they needed to change all those passwords, it turned out that they didn't. I learned that when I was recalled as a contractor, and it turned out I didn't have to get a set of new passwords for the system, about half of the old ones still worked. Even worse, the ones that still worked were ones that gave me root access.

So easy to retaliate, but didn't (3, Funny)

toygeek (473120) | more than 3 years ago | (#35231448)

I have a customer who stiffed me a few hundred bucks for sysadmin work, and he has yet to change his passwords. I doubt he even knows how. I ran across one of them a while ago and sure enough it logged me right in to the account for his colo provider. I did nothing. In fact I even notified him that he should change his password and "oh you still owe me" and never heard a word.

"Hello, my name is Inigo Montoya. You stiffed me money. Prepare to be Pwned!"

Re:So easy to retaliate, but didn't (0)

Anonymous Coward | more than 3 years ago | (#35231910)

A few hundred? Small claims court.

Not too shocking (1)

nine-times (778537) | more than 3 years ago | (#35231484)

I'm not that surprised by this. I still have access to the network from one of my previous jobs, but it's because they specifically wanted me to still have access in case they wanted help. At another job, it took a while for my account to be disabled because I was the guy who would have normally disabled accounts. I had assumed my boss would disable my accounts when he left, but it took him a while.

It really wasn't that big of a deal, though. I left under amicable terms, and even if I hadn't, I'm a professional. The reality is, even when I still had some kind of access, I had no interest in doing anything with it. I always very relieved when I leave a job-- relieved that I can cede all my responsibilities, never log in again, and never fix another problem. Really, it's always bad security to give unnecessary access, but sometimes you need to assess the real threat.

This just in... (1)

osgeek (239988) | more than 3 years ago | (#35231496)

10+% of IT "Pros" aren't really that professional if they're going back to their old accounts to see if they can get in.

The computers of companies where I used to work are beyond the event horizon. I would never even try to log into them without some kind of written request for my former employer.

Re:This just in... (1)

Ephemeriis (315124) | more than 3 years ago | (#35231888)

10+% of IT "Pros" aren't really that professional if they're going back to their old accounts to see if they can get in.

The computers of companies where I used to work are beyond the event horizon. I would never even try to log into them without some kind of written request for my former employer.

Yup.

I wasn't that impressed with my replacement at my previous employer. I wouldn't be surprised to find out that he hadn't changed the domain credentials. I wouldn't be surprised to find out I could still log in to their network.

But I haven't tried. And I'm not going to. And I wouldn't even with a written request (screw them).

I'm more surprised that there are that many IT "Pros" out there who have actually tried to log in to a previous employer's systems. Not terribly professional, in my opinion...

Re:Not terribly professional (1)

DocSavage64109 (799754) | more than 3 years ago | (#35232178)

I wouldn't be surprised if that 10% is more a theoretical number of "could" log in if necessary than "did" log in. I think it shows how trustworthy IT professionals are as a group.

Re:Not terribly professional (1)

Ephemeriis (315124) | more than 3 years ago | (#35232300)

I wouldn't be surprised if that 10% is more a theoretical number of "could" log in if necessary than "did" log in. I think it shows how trustworthy IT professionals are as a group.

In which case, I'm wondering why they think they can, if they didn't try it?

Are they just assuming that their replacement is incompetent? Did they intentionally leave a back door that they assume is still there?

I wasn't much impressed with my replacement at my previous job. I wouldn't be surprised if some of the admin accounts haven't been changed. I wouldn't be surprised if I was able get in to my old employer's network. But I don't know that I actually can. And I certainly wouldn't have answered in the affirmative on any kind of survey.

Even worse... (0)

Anonymous Coward | more than 3 years ago | (#35231512)

I used to work for a bank and all of the branch machines used the same default admin account. Even the kiosks in the lobby. Any customer can walk up to them and gain access.

Client resistance to security efforts (3, Interesting)

grapeape (137008) | more than 3 years ago | (#35231530)

Last year I actually lost a client for being too security conscious. They were a part-time client and only usually called me when it was an absolute emergency...most of the time when a problem happened they would try and fix it themselves, make it worse then call me. I tried to talk them into letting me come in once a month to patch and update on a scheduled basis. I was told I was trying to fleece them and pad my hours and that they felt they needed to take IT in another direction.

Nearly a year later I am still receiving backup notices, a few ,months back I found out accidentally that the root password hadn't changed when I ran a maintenance script that I used to do a resources audit, forgot to change the account info to a different client. I called them right away and instead of "thanks we will take care of it" I was told that I was hacking and that if I didn't stop they would report it to the police. I even tried talking to their new IT guy (one of the owners nephews) but he told me he was not allowed to speak to me and hung up.

I'm actually worried about the former client but am completely at my wits end about what I can do about it and frankly i'm worried that when the inevitable happens the first person they will attempt to blame for any disaster is going to be me. For now all I have been able to do is document my efforts to get them to fix the issue.

Centralized Account Management (0)

Anonymous Coward | more than 3 years ago | (#35231536)

Where I work, we have 2 passwords for most users.
1) LDAP based - controls access to all systems.
2) VPN - remote access.

When a user leaves, I "lock" the VPN and LDAP accounts. I check which email distro lists they are on and remove them and add their boss instead.

Then I set a reminder in the shared admin calendar for a year later to delete the account. We're small.

Every machine has a different root password - 30+ random characters, stored in a KeePassX DB. We never use it after system setup. Remote connections to root are prevented. We all connect with our personal accounts then use sudo for admin tasks. Service accounts don't generally allow direct logins, but ssh-key-based connections are configured for selected needs like backups.

We have less than 100 servers and only 10 NEs, so anything too complex would be a non-starter.

Perhaps I have a simplistic view - enterprises with thousands of network elements and man thousands of servers would be different, but the principles would be the same.

Make sure to document account removal request (4, Insightful)

bl8n8r (649187) | more than 3 years ago | (#35231538)

When I leave a place, or a contract is over, I usually work it into an email to request my credentials be removed, or account disabled.  When something goes wrong, the first thing everyone does is point a finger at the last person that left.  If my account has been disabled, it's pretty easy for me to prove my innocence and not waste time trying to convince anyone.  Also puts a little more weight into your argument when you produce an account revocation document which a company was negligent in following through with.  Doesn't sound like much, but makes a *huge* difference when the witch hunt starts.

Re:Make sure to document account removal request (1)

corbettw (214229) | more than 3 years ago | (#35231684)

Not only that, but what happens if, after you leave, someone hacks their system and just so happens uses your account to do so? That's not going to look good, no matter how much you claim to be innocent.

FACT! (1)

Gunkerty Jeb (1950964) | more than 3 years ago | (#35231630)

I know for a fact that a dev guy that left our company a month or so ago still has admin access all over the place. I have been removing him from accounts over which I have control, but I control nothing of any importance (twitter/facebook). Now, he was a nice guy who left on good terms and we still contact him for help from time to time, so I'm not really worried. But some weirdo who gets fired and has the same access could do some serious damage.

Does a real "Pro" even know? (0)

Anonymous Coward | more than 3 years ago | (#35231642)

I'm hoping that 10% is actually a low number due to the fact that a real "Pro" doesn't know because they haven't tried. I liken it to those high school graduates who go sniffing around their old high school, roaming the halls, checking to see if their old locker combination works, etc. If you have been asked to leave and haven't been specifically asked to test your login capabilities why would you be poking around in the first case?

Re:Does a real "Pro" even know? (3, Funny)

Lumpy (12016) | more than 3 years ago | (#35231844)

Yes a real PRO knows.

My desk at comcast, one I have not sat at for 7 years now is STILL empty and has my PC on it's desk logged in and running as me. I know this as friends in the department tell me that they still have not moved from my test server on my local machine to a production server so they simply still log in as me with the same password. That will teach them for hiring only MCSE's, one linux box confuses them.

They do use my cube as storage though.

College IT (0)

Anonymous Coward | more than 3 years ago | (#35231662)

When I worked tech support in college, we caught a former student employee logging into the help account. The guy running it changed the password...but it stayed that way for many years, at least 5 years after I left the job and I could still access the account.

Old Accounts... (1)

khr (708262) | more than 3 years ago | (#35231694)

When I left my last job in September, at a big European software and IT services company's office in Pune, India, I had to get the IT department's signature on my "leaving papers". I went to their office, got a signature and my network account was disabled before I even got back to my desk...

My teammates kept offering me their computers to surf the web to pass the time, but I declined. I told them if my account was disabled, I didn't want any suspicions on me for using one of their computers in case anything went wrong. Better that I just stick to the rules and sit at a locked computer chit-chatting with my team until it was time to go. And then the computer was physically removed from the desk before I was...

On the other hand, at the computer I worked at before then and left in 2007, as far as I know some of the developers are still using my computer and account for the work they picked up from me... I thought I modified the program and wrote good enough directions they could've done it from their own systems, but they liked the reliability. Whatever...

Previous Jobs? (1)

flex941 (521675) | more than 3 years ago | (#35231696)

Remember, the name is Steve Jobs actually.

6 out of 10..... (3, Interesting)

Lumpy (12016) | more than 3 years ago | (#35231810)

Have copies of companies assets in their possession. OR physical assets of the company still in their possession.

I was cleaning out some junk data the past weekend, went through my archive of 900+ CD-R's of the past 14 years and found several discs that I shredded as they contained company data from old employers. I also found a binder with a printout of some sourcecode that was for a old job from before 1995.

I dont worry about the guy that can access a server at work, I worry about the guy that leaves the job with a 64gb thumb drive that has the entire customer database on it.

Re:6 out of 10..... (1)

DocSavage64109 (799754) | more than 3 years ago | (#35232346)

Where did you get the "6 out of 10 ... Have copies of companies assets in their possession. OR physical assets of the company still in their possession." quote? I didn't see it in the linked article, and even if it was, could a paperclip or pen be considered a "company asset in their possession"?

I do agree that people stealing confidential databases (or losing laptops with that data) are the bigger threats.

Do you even have to ask? (1)

almitchell (1237520) | more than 3 years ago | (#35231868)

I still have a full administrative access to an IBM passport account at a company I left 3 years ago. After the third time I mentioned they should remove me, I gave up and figured, if I ever decide there's anything I need, they can pay for it.

I can too (1)

stealth_finger (1809752) | more than 3 years ago | (#35231974)

After leaving my last job (a school, on good terms) they'd closed down my personal accounts before I even got home. But all the master admin logins and passwords are still good, as well as all the test users I set up. I can still nip in and yoink some educational resources if I need them.

I could probably still delete everything if I were so inclined, they'd have back ups so it would just be an annoyance but still possible, and easy which is probably the worst part.

It's quite common (5, Interesting)

ledow (319597) | more than 3 years ago | (#35232020)

Most places will happily give you every password in the world when you start a job there. And sometimes the "intermediate" stage between you leaving and someone else doing your job is filled with outside contractors and random people who "need" your passwords.

Whenever I leave an employer, I make a BIG list of everything I know in terms of passwords, passcodes, keys, etc. and compile it on paper or a CD. I put literally everything in there, even down to little foibles of the system and the reasoning for strange configurations. I then furnish the boss with one copy of that CD, hand him another copy to "put in a safe place" (usually a safe) and then leave.

I did this at my last workplace. They were getting increasingly silly and employing people with zero expertise, and I already had another job already lined up so my entire notice period was spent house-cleaning and compiling lists while taking care of the mundane jobs.

Technically I reported only to the headteacher of the school in question, having been employed by him without any formal assignment in a staffing structure (to the point where the local borough phoned up to complain that I was earning too much for any of their pay-scales and had to be put on my own unique one).

When I left, there was no replacement for me (because they weren't interested in employing the only guy out of all the candidates that *could* do my job because he had formerly worked in Tesco's supermarket rather than sit on his arse in the middle of a recession) so I handed off to the headteacher. This immediately caused an argument because one of the new staff who was the new "second-in-command" there (and that decision was partly responsible for me wanting to leave in the first place!) DEMANDED the "admin password for the network".

He wasn't an IT guy. He knew nothing about computers at all. He just wanted it because he was sure that the dozens of digital voice recorders that he'd bought on a whim (without IT authorisation) could be made compatible with the non-networkable, kiddified, decades-old audio editing software he'd bought on a whim (without IT authorisation) on the network he didn't know how to manage, no matter how many times I told him they were incompatible. He was convinced that if he somehow got the "magic" administrator's password and then let 1000 kids loose with it so they could listen to themselves talking, it would solve his problems with not teaching part of the IT curriculum.

Obviously I must have been deliberately lying when his DRM'd-AAC-only recorders couldn't be opened in a program that only took WAV's (not even MP3's!) and that an intermediate conversion step (which he DEMANDED shouldn't be necessary and refused to use) was required.

Apart from the fact there were three networks, there were dozens of different passwords, and he wasn't getting *ANY* of their passwords until I was way outside the building and long gone, I had a duty to protect the information secured by those passwords (information on kids, people's salaries etc.). If you read the rules precisely, that means that I had to hand off ONLY to the headteacher, who could then hand off passwords to others as they saw fit.

So I did just that, in the process making my own day by telling the guy "No." even if he WAS second-in-command there (he didn't seem to understand that I didn't report to him, no matter what he thought of that idea). He was rather miffed. I also, with the head's permission, gave a copy of the CD to the lead governor of the school who was a big-iron IT guy for his day-job, that we both knew we could trust - he would be fixing any major issues that occurred in the school until they could find a replacement and he was there to sign-off on my hand-over.

A week later, a phone call from the second-in-command. He'd got the administrator password, tried it out on several PC's and couldn't do what he wanted (ignoring the fact that he wasn't using ANY of the network software management that we had in place). So he demanded that I give him the "real" administrator's password. Or come back in and get it working for him. I said the second would NOT be happening because I had completed a hand-off and the audio-devices were something that I'd always said I couldn't get working the way he'd liked (whether or not that was due to my own incompetence or not).

I also pointed out that ALL passwords were on the CD. ALL instructions were on the CD. Everything on the CD was everything that existed and more than adequate to do anything that was possible. The governor who we'd given a copy of the CD too was an IT guy far in advance of myself and had happily confirmed it was everything that anyone would ever need in that job (in fact, he said there was a bit TOO much information, because I'd done a complete network map down to the individual cable / port / switch, etc. - the final week of a month's notice passes very slowly)

"What CD?" he asked. At which point I told him to talk to the head. Somehow he'd got an "admin" password and been installing software. At that point, any obligation I felt to fix the school systems was gone, and there wasn't anything to "fix" because that problem was due to poor purchasing and not checking.

I don't care what happened to the system after that. I wouldn't even fix it at my usual (extortionate) rate for jobs that I really don't want to do and hope that a high price would put people off asking me to do them.

Technically, as IT guy, I could still theoretical cause tons of damage (i.e. stopping people getting paid, stopping suppliers getting paid, removing historical archives of vital tax information, etc.) if they haven't changed those passwords. I really don't care - I have no intention of ever doing any of the above, nor would the governor that took up the slack until someone was formally appointed to replace me. Nor, I would hope, would my replacement but I would be infinitely more certain about that if they'd hired the guy who *I* choose as being the one who could run the whole show.

No, the danger is the idiot that has access to the system for even two minutes under an elevated account. I know. I used to make a career by cleaning up school systems where teachers had been left in charge for even a month. Your IT guys aren't the problem - if you employ the right people, they won't do nasty things in the first place and they will stop anyone who had access previously from doing nasty things by removing their old accounts. That's their job.

The problem is people who treat the password as a magic "sauce" to get around pesky permissions problems (and other unrelated problems) and people who employ idiots. That guy can cause more damage *accidentally* in ten minutes with the admin passwords than I can fix in a week (if at all, when it comes to things like data disclosure and backup destruction).

Of course, but... (0)

Anonymous Coward | more than 3 years ago | (#35232040)

Why would I want to?

I suspect I still have access to mine (1)

Anonymous Coward | more than 3 years ago | (#35232150)

Even though it's been 6 years since I've worked there. A few months ago, I ran some LDAP code that was based on a big intranet package that I built for the company. I had neglected to change the LDAP server address and it still pointed to the LDAP server at the office. It connected and walked the LDAP tree accordingly. So 1) They never changed the LDAP manager password. 2) Actually disabled the firewall rules on both the LDAP server and the edge router that kept people from binding to the LDAP server.

I built everything there to use LDAP as an SSO. The half-dozen intranet sites, email, router TACACS+, and root access on 20+ servers.

I was tempted to send the information to Anonymous or alt.2600, since the company and I parted ways on bad terms. But I don't feel like going to PMITA prison.

steve.jobs@next.com (1)

roger_pasky (1429241) | more than 3 years ago | (#35232170)

Do you mean one out of ten of us can acces Steve's account in his previous company? I guess it has already been disabled ;-)

Admins are Gods (0)

Anonymous Coward | more than 3 years ago | (#35232176)

They shouldn't need prior work from a company to access their accounts any more than they should have the desire to access accounts from a company they left. Kind of like Plato's "I can kill but I have no desire to kill".

Quest. (4, Insightful)

saintlupus (227599) | more than 3 years ago | (#35232274)

If only the company who commissioned this survey happened to sell a bunch of account and identity management tools.... Oh, they do? What luck!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...