so this story points out one of the pink elephants in corporate security: accounts are often left open after employees leave the company. the other pink elephant they won't talk about is shared accounts.
i can't tell you how many people's passwords have been told to me by users while i was an admin. if i wasn't creating them an account i'd just be troubleshooting something and they'd just give me their password, like it was a free coupon. aside from this there's co-workers who often share passwords to get access to files locked away by strong permissions or to work on the same project for brief periods, or just for the hell of it. they don't really care about security and they don't think anyone's going to abuse the trust. but there's very little trust in real security.
so here you have ex-employees who potentially know several other employees' passwords. if all you use is a password for, say, VPN and e-mail, your company has been owned. there are case studies in how you will get hacked just by pilfering an e-mail account. so clearly, this shit needs to be locked down. you can't just rely on a password - you need another authentication factor.
don't want to pay for expensive RSA SecurID? that's fine; use VeriSign's free OpenID provider and a $5 hardware authenticator from PayPal (or a $30 version from VeriSign) and you have effective, open 2-factor authentication.
is it possible to steal someone's authenticator and get away with a similar hack? of course. but it's a lot easier for someone just to log in using someone else's credentials and escalate to wherever they want to be.
No comments:
Post a Comment