Humans
Still one of the weakest links in the security chain. But also goes to show - make your security too complex and people write things down.
What looks like system passwords at one of London's busiest railway stations – printed and attached to the top of a station controller's monitor – were exposed to viewers during a BBC documentary on Wednesday night. The login credentials were visible just before the 44 minute minute mark in the documentary Nick and Margaret: …
Clearly what's really happened here is that there is a secret table of 512 different randomly generated 16 character passwords that every member of staff has memorised. The sticker on the monitor simply tells the operative that they should use Password number 1.
Just like when I memorised the colour code sheet for JetSet Willy.
I'm joking, I didn't.
I worked for an IT contractor years ago that provided IT support for the local branches of a major bank.
We were in contact with their network operations center on a regular basis. They were very proud of their password security policy. They required a password change every 30 days, at least 10 characters, it had to include one caps and one number.
All of this was great, except that when real users are involved, it doesn't work. If you went to ANY PC in any of the branches (including the teller line), there was a post-it note with the last two or three passwords crossed out, and the current one listed below them. When I commented about how insecure this is, users complained that the passwords were so complex and changed so often, that there was no way to remember them.
So, the operations guys, by forcing a strict password policy, created a situation where they had effectively no security. You may be thinking that management should put a stop to people posting their passwords on their monitor, right? Wrong. One day when I was working on the PC that belongs to regional manager for our entire state, guess what? She had her password list posted on her monitor!
In the end, people are people. I tell this story frequently to other junior network admins (leaving out the bank's name of course). If you push too hard with security, users will push back. And, remember we are outnumbered! Plus, with some exceptions, managers are humans too. Don't expect them to enforce security policy if they find it too hard to follow themselves. They will just tell staff "don't worry about it, you know how IT is".
Anonymous for obvious reasons...
The story that I read about in a computer magazine once was about the open-plan department that had a large-print wall poster saying "This month's password for the accounts system is: Tsirac64" "because the buggers keep changing it".
That password in fact was constructed from the first six unique letters in this post - usually I take a newspaper - and two unique digits constructed from looking at my digital watch, and it isn't as long as the specification you described. And, as I need to log in to more and more different services, scrupulously using different passwrods, I am considering having them written down in a more outrageously conspicuous form than I have already. Maybe set as my PC's wallpaper?
The old acronym.. PEBCAK. Problem Exists Between Chair And Keyboard.
This shows the trouble with humans and security. You can have the best, most advanced systems in the world protecting your computer, but as soon as you involve humans, they can blow the system wide open.
Bull. Whoever designs systems that don't take into account that we're all human has failed miserably in their risk managent. Giving it a funny SLA (six letter acronym) doesn't make it go away - you design systems for humans to use so it's not like you don't know that you have the risk exposure, deal with it. Really, a large part of security failures is exactly the failure to realise that humans make mistakes, and create some fault tolerance or a better UI to address that.
I saw a simple but classic example of that in the POS system of a jewellery store I had to audit recently. They had one login to log payments, items and client details, and we're not talking about trivial people here. When I asked why they didn't have a login per staff, it emerged the POS author had based the login on the Windows login (yes, running XP, hush), which meant the system had to deal with all the crud that goes with a Windows login, which is timewise taking centuries to load, whereas a login in the (server based) application would have been one single hash check in a small table and go (Windows simply provided the terminal function, it had no other role in that shop).
So, the store didn't follow best practice security because a developer had been an idiot by not checking the store sales process actually worked. Once we had both parties actually talking to each other it was addressed one software update later.
Barring blatant stupidity, blaming the user only becomes acceptable if they were consulted in the creation of any IT facility they are to use. Otherwise, not handling their errors is like any other lack of error handling: an IT problem.
Puhlease. Are you saying that the humans cannot memorize passwords?
Not when one wants 10 alphanumeric, excluding special characters
The other want between 6 and 15 and include special characters
Another wants more than 10 including special character, except for spaces, comma's, full stops
Another wants less than 8 but must contain at least 1 uppercase, 1 number, 1 special character
Another wants more than 15
Another want 10 but must contain at least 2 numbers and 2 uppercase
And so on and so on.
Surely the lesson to learn is:
DON'T PUT PASSWORDS ON HUGE DISPLAYS ATTACHED TO THE COMPUTERS THAT NEED THEM.
I don't disagree with writing them down. But put them in a book and lock the book away. Hell, I used to seal our "disaster recovery" password book such that anyone opening it would break the seal that couldn't be redone with damage. Then we put it in the company safe. Anyone slyly opening that to get the password would hastily put it back, and I'd know if a superior had ordered it open without my knowledge (for which I stated in advance, at that point I would be handing in my resignation unless there was a REALLY good reason, e.g. I was in a foreign country and uncontactable and a major incident, or if they were investigating myself for some reason, etc.).
Passwords are still passwords. Don't broadcast them on the same machines that require them. That's pointless. Don't whiteboard them at all. RAF places having them written clearly on bulletin boards? You're idiots. Distribute an internal email/memo to those who need them instead.
If you need to publicly advertise the password, you are effectively making that account unpassworded. That might even be a sensible alternative (if you can only access from the intranet anyway, and have to be logged in to do that, and it's just a hassle of yet-another-password). But you do have to consider that.
UK Data Protection basically says nothing that you can't write passwords down. But they have to be given only to those with need for them to carry out their duties. As such, writing them in a personal book or a memo in your (hopefully passcoded) phone is fine. Putting them on a noticeboard is not.
Don't put authentication into systems that don't need it. It looks to me as if that's a username/password combo for routing the appropriate signalling information to that particular workstation. That is, the signalman for that area always goes to that workstation, rather than the signals following the user to whatever workstation he logs in at.
If that's the desired configuration it shouldn't require the user to enter it at all!
"Surely the lesson to learn is:
DON'T PUT PASSWORDS ON HUGE DISPLAYS ATTACHED TO THE COMPUTERS THAT NEED THEM."
No; you're wrong and the AC is right; the lesson to learn is:
"DON'T SHARE PASSWORDS" and "DON'T DESIGN SYSTEMS THAT REQUIRE SHARED PASSWORDS".
As soon as password communication becomes "normal" to users, then there is no password security. You also have no audit-ability, so if something goes wrong you can't trace it back to the user who transacted it, unless they own up.
Reg_hack@elreg.co.uk to TFL_bigwig@tfl.com: Hey, you broadcast your passwords to all and sundrie last night, were you aware?
TFL-bigwig: autoresponse: I have very important champagne breakfast meetings with suppliers and lobbyists until 10am, I'll read my emails then
TFL_bigwig to TFL_minions: some hackers at the registrar know our passwords. please change them and write them down for the nightshift.
TFL_minions: we don't have those fancy printers to make those password labels anymore due to budget cuts, what should we do?
TFL_bigwig: I don't know, just cross out the "1" at the end. Just sort it and stop coming to me with problems. I want solutions!
TFL_minions: we've changed the password from "Password1" to "Password," please distribute to those who need it
TFL_bigwig to TFL_all_employees: the new password is "Password"
TFL_bigwig to TFL_renumeration: I've hit my data security target 3 months early, make sure my bonus reflects my outstanding performance. P.S. You're all invited for celebratory champagne at spearmint rhinos later this evening.
My job/company involves working with highly sensitive client data. Stuff industrial espionage, hacking and other illegal activities are committed for. The main account for the mechanics/spannermonkeys around here to access work instuctions has it's username and password clearly written out on a large sticker stuck to the front of the PC. Access to the space is not that secure to say the least...
Its a generic login to a system access controlled by physical security. The username / password security isn't implemented in any (that I know of) signal boxes, hence the default user / password is printed onto long lasting tape on the top of the monitor (it's not a post-it or similar put there by the signaler). Stop making up problems that don't exist.
Lots of use cases for generic logins if the apps are designed for turnkey use and have transactional authentication and it DOES NOT MATTER what Windows profile is being used.
I bang my head on my virtual desk when people forget that this use case exists. If a time sensitive system that a lot of people need instant access to, requires users to log into Windows, wait 3 minutes for the desktop to appear, then 15 seconds for the app to start up, just so they can perform a 5 second transaction in it before doing a full Windows logout that is a 200 second turnaround for a 5 second action. Not clever at all.
And the exact same principle applies for real time safety monitoring systems on the railways. What do you want - a 2 minute handover at shift change where no bugger can see what's happening on the track because some numpty thinks the ability to have persistent mapped drives on a user-by-user basis is so important that they impose unique logons where there's bugger all point to them?
There's a good reason why cashpoints don't require full Windows login and logout for every different person in the queue.
This post has been deleted by its author
I've seen that application open at Waterloo one or two other locations - it looks like a realtime display of the status of the points and signals. The buttons on the application have the fairly distinctive oval styling (rounded ends) of the Open Look intrinsics, which places the app at something like 20-25 years old, probably running on Solaris.
If only this was real news...
The app shown on the screens is simply a real-time display of the approaches to Waterloo. It is on a completely isolated intranet with no external connectivity other than inbound feeds from various Network Rail systems. It has no control over any signalling or train movements.
Also, the problem yesterday was a dislodged conductor rail on the Southern network into Victoria - completely unrelated to SWT, which goes into Waterloo.
Sadly, knowing the username and password won't do you any good unless you happen to work for SWT and have access to their Intranet.
Nice try though :)