Schneier on Security
A blog covering security and security technology.
« Details on the UK Liquid Terrorist Plot |
| Brennan Center Releases Report on Post Election Audits »
August 7, 2007
Asking for Passwords
How do you get a password out of an IRS agent? Just ask:
Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.
Wow. At the very least, I would have expected to have to give them chocolate.
Posted on August 7, 2007 at 6:53 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
After all the other studies I guess all it proves is that IRS bods might be human as well 8)
There is an interesting comment from a 'high profile IT company' employee in the BBC news item linked here:
"I work for a high profile IT company [..] Also, don't use your name as a log-in, use something alphanumeric such as your car and car registration number i.e. peugeotrv02tkn - it is just as easy to remember (usually) but harder to crack."
Since when usernames are regarded as a security measure? The only security layer between an intruder and a password-protected system is the password.
Really wow. This is even easier than trying to get access to offices with a blue workman coat.. sounding "real" is far simpler than having to look real.
I can only hope the firewalls etc are good enough so the password doesn't allow any entry from outside... else: havoc.
User names are simply part of the password authentication step. It is the identifier used to track network usage, log on attempts and failures, along with most of the time access controls. Give a person the user name and they only need to find password. Don't give them the user name and they need to find both. If your company has a standard naming convention for user names, most do as does mine, then you can easily pick and choose which one you want to try and take control of. Find the naming convention for a low level, underpaid contractor and you can easily convert that to the user name for your CSO. Now you just need to break the password for the CSO.
As far as the IRS employee's, this is no different then any other place in the world I am sure. I spent 4 months in my previous job before my identity was questioned. I would just walk up to people who I have never met, saying "Hi I am here to fix your computer" and the users says "OK" and goes on a coffee break.
The only way to combat this is to educate the employee's. This needs to be done carefully. You must explain what needs to be done, how they can do it, and why it is needed. If they do not understand they why, nothing else will matter. This all needs to be delivered in a manner that does not belittle them or make them sound unintelligent or nothing you say will matter.
Hey, if someone stopped me on the street and said "I'll give you a free chocolate bar for your password", I'd give them a password and get a free chocolate bar.
It wouldn't work anywhere, but it would sure sound like it did.
Possibly some of the people fall a victim of shortcuts. They were told "do not disclose your password", but auditors used a modified technique and asked people to temporarily change their password to a provided one.
@dbt: that's why this study is valuable - we know for a fact that those who complied really did so in a way that might have compromised security, because they were able to check independently.
The odd thing is, the same people would never hand over their house or car keys upon request from a stranger, even for chocolate.
What seems to be broken here is the metaphor that informs people's view of computer security. Perhaps it's the word, "Password", which evokes images of treehouse clubs and comedy sketches, instead of suggesting locks and protection of valuables. Or maybe it's just that password-style security is too easy to be taken seriously by most users.
I've no idea what would change this attitude problem. It seems clear, however, that this problem will never go away until users can be made to think "Housekeys" thoughts instead of "Lil' Rascals" thoughts at authentication time.
"The odd thing is, the same people would never hand over their house or car keys upon request from a stranger, even for chocolate."
Depends on how much chocolate, and what kind.
@Paul Crowley: "[W]e know for a fact that those who complied really did so in a way that might have compromised security, because they were able to check independently."
I took dbt to be referring to Bruce's second link (to the BBC article). That was based on street surveys. (Hence dbt said, "...if someone stopped me on the street..."). That article doesn't say those studies involved checking independently. I'll give you a fake password in return for a piece of chocolate, too. It looks like a dumb approach if you're really trying to figure out who would give you *genuine* sensitive information.
This is a test of impersonating Bruce Schneier in the comments section of his blog. This is only a test. If this were actually Bruce Schneier, this message would have been authenticated as such and he would have r0x0r3d your crypto.
The above Bruce Schneier impersonation test was me. Along those lines, Bruce, how can we know when it's you that is posting in the comments?
..."The odd thing is, the same people would never hand over their house or car keys upon request from a stranger, even for chocolate."
But they _might_ hand over (or lend) their office keys or those to the warehouse forklift. The feeling of "ownership" of company assets is often weak, and is weakened further by nutty edicts from "security". When the IT department makes one use an easily guessable email ID that is different from the easily guessable login ID, and enforces long-discredited policies like password aging, it's pretty easy to see that they don't actually give a fig for security, so why should workers?
Especially when there is chocolate on the line. :-)
"But they _might_ hand over (or lend) their office keys or those to the warehouse forklift. The feeling of "ownership" of company assets is often weak..."
I agree that the sense of responsibility tracks the sense of ownership, and I certainly don't underestimate the power of chocolate.
However, most people also pick comically weak passwords for their personal computing --- forums, e-bay, web commerce, web banking, etc. Here is both ownership and value, and still no sense that a strong password is analogous to a strong lock. People who put $70 bike locks on their $250 bikes are protecting their life savings behind three bits of entropy. Obviously they are just not making the connection.
The article lacks a lot of information that makes me question the validity of the test and the interperation of the results.
THere is no indication that the validty of the user-id given was verified, or any checking of logs to show the uweer had actually changed their password as requested.
Did the "technician" actually then login using the person's user-id and password? If not, perhaps the IRS agents were savier than the article or test gives them credit for, and misled the technician.
A proper test would have at the very least verified the logs showing a password change at the time requested by the technician. And you'd think the article would mention this as proof of the test results.
This sort of thing hasn't really surprised me for years, now.
One of the most egregious examples that I've presonally encountered was a few years back when I took a temporary job for a few weeks on the IT helpdesk at a Healthcare Trust in the English Midlands.
For the first few days I was mildly uncomfortable at the number of doctors, nurses etc., who were offering to give me their Windows network login names and passwords, in the apparent belief that this would speed the fixing of their broken PCs.
The real stinker, though, came a couple of weeks in when I fielded a call that began "Hi, this is Kevin F...... over at Gaol Street; my CLINICOM terminal's stopped working and I need it quick. My CLINICOM login is xxxxxxx and my password is yyyyyyy.", all before I could get a work in edgeways.
I boggled, paged a technician, gave the guy an ETA and hung up.
Now this wasn't a Windows network login that the guy had given me, bad as that would have been. CLINICOM was the separate, allegedly hardened, system that held actual patient notes and other extremely sensitive documents.
Add to that the fact that the list of public phone network numbers for dial-in modems with access to CLINICOM were easily available to any Tom, Dick, or Harriet who was temping at the helpdesk that week and things could have gotten very ugly, very fast.
Even worse this particular guy, whom I happened to know, although he hadn't known it was me on the phone, was a Forensic Psychiatric Nurse based at the local Police Station, which meant, amongst other things, that the bulk of the patient notes that he'd unthinkingly exposed to a complete stranger would also have had substantial police input and their subsequent dissemination to either the patients themselves or to the wider public would have been a matter with serious public safety ramifications.
I was, as the saying goes, completely gobsmacked.
The next time I bumped into Kevin, I had the proverbial quiet and polite word with him regarding the above; for an otherwise well qualified and intelligent person he was stunningly intransigent and clue resistant and left me on the verge of making a formal complaint about the matter.
In the end and with an eye to our nominal friendship at the time, I settled for voicing my concerns with an internal manager, although I suspect no substantive action was taken regarding the breach of patient confidentiality.
The example by Zilly points to the fact that doctors often view their time as valuable (for a variety of reasons) and it's more important to them their problem is fixed than any security mumbo-jumbo.
And in some cases, you can't blame them. But if their login isn't needed, then that is a matter of training. More than likely, before Zilly's arrival, previous calls that included the login credentials resulted in faster service (i.e. the problem was fixed faster). So they become trained to believe that's the best way to get the job done fast (regardless of that old security mumbo-jumbo again).
It would be interesting to see what these passwords that were give actually were.
When they force some security enhancing rules in AD, such as no double characters, needs at least upper and lower cases and letters and/or special characters and must be 8 characters long, you get all these Pas5word, Password1, P4s5w0rd ...
We use "coded" login names here, but just for email, and I think it's a fair idea. If you get an email from firstname.lastname@example.org, and discover there's a public http://mail.irs.gov webmail site, then you're already halfway in as far as cracking the account. Even if you can't get in, you can DoS the email account if it locks after a certain number of bad guesses.
@C Gomez: "More than likely, before Zilly's arrival, previous calls that included the login credentials resulted in faster service"
It was a little more subtle than that, from what I could discern: The Healthcare Trust in question had at that time a distinct password/login sharing culture in some departments. Mostly this was harmless, albeit undesirable, and its cure was officially not within the purview of the helpdesk nor even within that of the IT department in general (I kid you not - NHS beaurocracy at its best...). However the mindset that this generated tended to bleed through into the user's calls to IT support etc., as well.
WRT Doctors et al viewing their time as precious, and not having time for security mumbo-jumbo, my take on the situation there was that the bulk of the genuinely urgent calls tended to be from mid-level nursing staff on the Hospital wards who needed a hardware fix urgently (Think A&E with a terminal that's lost its Magic Smoke, etc).
However we also fielded a lot of calls from Doctors and Consultants that were claimed to be earth-shakingly urgent as a matter of course, with all manner of sanctions threatened if not fixed within minutes, but which were patently not of an urgent nature (*).
Neither of the two scenarios described above, though, had much bearing upon the frequent offers along the line of "Do you want my login and password for this"; the two appeared to be pretty much uncorrelated, AFAICT.
(*) Regrettably, the UK Healthcare system still throws up far too many Doctors who appear to model their behaviour towards others upon James Robertson Justice's cringe-inducingly magnificent portrayal of Sir Launcelot Spratt.
"The above Bruce Schneier impersonation test was me. Along those lines, Bruce, how can we know when it's you that is posting in the comments?"
Doesn't really matter - for enough choc he'll write whatever you want... :-)
Everyone had a price, or in Bruce's case, a weight and coca content.
So the agents didn't verify the callers identity. How should they do it?
Caller "Please tell me your username and reset your pasword to '****'"
Employee "Sure, but first I need to verify your identity"
Caller"Of course, its Bill from IT"
In most places I've worked, people routinely try to give me their passwords In one place, I was instructed to login as that user and complete the scheduled password change--I had the old PW and the intended new PW.
@Casper (verifying identity)
By getting a name, looking that name up in the corporate directory, calling *that* number, and then asking them why what they're asking you to do is different from the password training they get.
I mean, ideally.
Sounds to me like the IRS needs to implement information security awareness into their internal structure. That number is too high and too much sensitive information is at risk.
Simple solution, train your employees that under no circumstances should they reveal their password to any one. If the person they are calling in IT can not fix the issue without the password then it needs to be escalated to someone who has the authority (both in digital rights and company policy) to do it. In my company if I NEED to log on as someone. I notify them that I will be changing their password and what it will be changed to. Once I am done I set the ad account to require a password change at next log on. It's that simple. No one, for any reason, or at any time should give out their passwords for anything.
Had I designed the test, I don't believe I could have resisted asking for each agent's Social Security Number as well.
I did a security presentation once for Infraguard where we required everyone to fill out a generic liability disclaimer. I even got the FBI agent to hand out the forms. Out of the room full of security goons, it was only one of my friends (who knows how evil I am) who questioned the need for the SSN. I think that about 30% of the attendees gave out a number (at least some of whom were honest, judging by the number of people who tried to scribble out their entries).
This bit is just classic:
"It found that many people volunteered important personal information, such as their mother's maiden name or their own date of birth, when questioned during a street survey."
Who decided that these bits of information were important? If you live in a small town, half the population knows that about you and the other half could find out with a phone call! Banks are dumb...
I'm no longer afraid of giving out my mother's maiden name; I use an alphanumeric password. I get strange looks / responses from people when I recite an alphanumeric sequence as my mother's maiden name (or first pet's name, or high school name, etc., for all those new "enhanced-security" questions on banking websites), but it works.
Nothing in our government can be done secretly or fast because our power is so dispersed. When it is tried, it never works out. Maybe if we can agree on a new system that will all change. Imagine the debate over the Constitutionality of such changes. eGov is full of holes, hacks and hooey. Government thrives on paper.
je trouve pas mot de passe de ma session s'il vous plait j'ai besoin de votre aide merci!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.