Cyber-security
So the IT department at work has got a company of "legal hackers" to test the security of our website. As web manager, they contacted me to ask precisely where all the admin areas are, which parts of the site are password-protected, and then to supply them with a list of usernames and passwords so that they can access those areas and "test their security".

Perhaps I've missed something, but isn't that completely fucking retarded and ass-backwards?
( emvee cruor deo cruoris, Fri 14 Oct 2011, 17:03, 12 replies)

Sounds like the sort of job I could do... Did they find any security holes? You sure that this wasn't a whajimacallit - attack - psychological - ermmm there's a word for this type of scam.
(feedingtimeatthezoo day 1 of his bikini diet started, Fri 14 Oct 2011, 17:11, closed)

After I made a lot of noise about how there was no chance in hell I was sending a third party a list of all our sensitive passwords
I got an email from the IT director basically ordering me to send them anyway. I have a copy of that email printed and pinned next to my monitor as arse-covering material, should all this turn around and blow up in my face.
( emvee cruor deo cruoris, Fri 14 Oct 2011, 17:13, closed)

I believe it's referred to as 'social engineering'. I've a mate in the pen testing game - and while he's done many, many rather interesting things, I'm not sure he's ever been so brazen as to simply ask the web admin for the passwords...
( Happy Phantom has been to Hastings, Brighton, and Eastbourne too, Fri 14 Oct 2011, 17:19, closed)

"The art of deception"
by Kevin Mitnick (I think) is a pretty good read. It's all about social engineering, and how he was portrayed as a technical hacker (and subsiquently locked up for 8 years with no trial), when in reality all he did was trick people into giving him passwords.
(dchurch bah, Fri 14 Oct 2011, 21:53, closed)

Actually,
They've done their job pretty fucking well.
(SarcasticBarSteward wants to be good at Photoshop when he grows up, Fri 14 Oct 2011, 17:24, closed)

That's what I was thinking.
Their report ought to read 'Major Security Failing: The IT Director who gave us all your passwords'
( scarpe We Stole Bikes, Fri 14 Oct 2011, 17:26, closed)

This occurred to me too.
I used to work for a law firm in the department responsible for organising training courses on data protection and privacy. One attendee company asked me to disclose the names of all the companies attending the course; I said "no".
( .Yeti., Fri 14 Oct 2011, 17:39, closed)

^^This
I'd make a few copies of that email.
( Hdjejjwsjdjjf LOOK, Fri 14 Oct 2011, 17:51, closed)

A truly comprehensive test of security would require penetration testing, yes, but would also test to see whether each user role (e.g. administrator) could only do the things they're supposed to do, instead of (for example) hoovering up every visitor's credit card numbers, genetic fingerprint and preferred sexual position.
( argyleblanket The man on the roof works for me, Fri 14 Oct 2011, 21:35, closed)

Then they should use each person's logon with them sitting there.
Rule number one is you never give out a privileged password. I used to work as an admin and the only way I'd knowingly allow someone to test my access would be to check it whilst I watched.
I suppose another way to do it is to change the passwords of the affected accounts to ones known by the auditors for a brief window for testing and change them back afterwards. This, however, would require an air-tight contract to protect both the company concerned and the auditors.
(Me, I'm not... in any way intoxicated, Sat 15 Oct 2011, 0:12, closed)

You're right about both.
Temporary passwords and sitting over the shoulder.

Truth be told, that type of testing should first take place in a sandboxed environment with test (not production) data.
( argyleblanket The man on the roof works for me, Sat 15 Oct 2011, 0:23, closed)

Ha Ha well done mate
You just failed the test on question No. 1
( buffet_the_appetite_slayer ٩(●̮̃•)۶ jacked in to the ICE on, Sat 15 Oct 2011, 9:52, closed)