Still one of the weakest links in the security chain. But also goes to show - make your security too complex and people write things down.
What looks like system passwords at one of London's busiest railway stations – printed and attached to the top of a station controller's monitor – were exposed to viewers during a BBC documentary on Wednesday night. The login credentials were visible just before the 44 minute minute mark in the documentary Nick and Margaret: …
Clearly what's really happened here is that there is a secret table of 512 different randomly generated 16 character passwords that every member of staff has memorised. The sticker on the monitor simply tells the operative that they should use Password number 1.
Just like when I memorised the colour code sheet for JetSet Willy.
I'm joking, I didn't.
I worked for an IT contractor years ago that provided IT support for the local branches of a major bank.
We were in contact with their network operations center on a regular basis. They were very proud of their password security policy. They required a password change every 30 days, at least 10 characters, it had to include one caps and one number.
All of this was great, except that when real users are involved, it doesn't work. If you went to ANY PC in any of the branches (including the teller line), there was a post-it note with the last two or three passwords crossed out, and the current one listed below them. When I commented about how insecure this is, users complained that the passwords were so complex and changed so often, that there was no way to remember them.
So, the operations guys, by forcing a strict password policy, created a situation where they had effectively no security. You may be thinking that management should put a stop to people posting their passwords on their monitor, right? Wrong. One day when I was working on the PC that belongs to regional manager for our entire state, guess what? She had her password list posted on her monitor!
In the end, people are people. I tell this story frequently to other junior network admins (leaving out the bank's name of course). If you push too hard with security, users will push back. And, remember we are outnumbered! Plus, with some exceptions, managers are humans too. Don't expect them to enforce security policy if they find it too hard to follow themselves. They will just tell staff "don't worry about it, you know how IT is".
Anonymous for obvious reasons...
The story that I read about in a computer magazine once was about the open-plan department that had a large-print wall poster saying "This month's password for the accounts system is: Tsirac64" "because the buggers keep changing it".
That password in fact was constructed from the first six unique letters in this post - usually I take a newspaper - and two unique digits constructed from looking at my digital watch, and it isn't as long as the specification you described. And, as I need to log in to more and more different services, scrupulously using different passwrods, I am considering having them written down in a more outrageously conspicuous form than I have already. Maybe set as my PC's wallpaper?
The old acronym.. PEBCAK. Problem Exists Between Chair And Keyboard.
This shows the trouble with humans and security. You can have the best, most advanced systems in the world protecting your computer, but as soon as you involve humans, they can blow the system wide open.
Bull. Whoever designs systems that don't take into account that we're all human has failed miserably in their risk managent. Giving it a funny SLA (six letter acronym) doesn't make it go away - you design systems for humans to use so it's not like you don't know that you have the risk exposure, deal with it. Really, a large part of security failures is exactly the failure to realise that humans make mistakes, and create some fault tolerance or a better UI to address that.
I saw a simple but classic example of that in the POS system of a jewellery store I had to audit recently. They had one login to log payments, items and client details, and we're not talking about trivial people here. When I asked why they didn't have a login per staff, it emerged the POS author had based the login on the Windows login (yes, running XP, hush), which meant the system had to deal with all the crud that goes with a Windows login, which is timewise taking centuries to load, whereas a login in the (server based) application would have been one single hash check in a small table and go (Windows simply provided the terminal function, it had no other role in that shop).
So, the store didn't follow best practice security because a developer had been an idiot by not checking the store sales process actually worked. Once we had both parties actually talking to each other it was addressed one software update later.
Barring blatant stupidity, blaming the user only becomes acceptable if they were consulted in the creation of any IT facility they are to use. Otherwise, not handling their errors is like any other lack of error handling: an IT problem.
Puhlease. Are you saying that the humans cannot memorize passwords?
Not when one wants 10 alphanumeric, excluding special characters
The other want between 6 and 15 and include special characters
Another wants more than 10 including special character, except for spaces, comma's, full stops
Another wants less than 8 but must contain at least 1 uppercase, 1 number, 1 special character
Another wants more than 15
Another want 10 but must contain at least 2 numbers and 2 uppercase
And so on and so on.
Surely the lesson to learn is:
DON'T PUT PASSWORDS ON HUGE DISPLAYS ATTACHED TO THE COMPUTERS THAT NEED THEM.
I don't disagree with writing them down. But put them in a book and lock the book away. Hell, I used to seal our "disaster recovery" password book such that anyone opening it would break the seal that couldn't be redone with damage. Then we put it in the company safe. Anyone slyly opening that to get the password would hastily put it back, and I'd know if a superior had ordered it open without my knowledge (for which I stated in advance, at that point I would be handing in my resignation unless there was a REALLY good reason, e.g. I was in a foreign country and uncontactable and a major incident, or if they were investigating myself for some reason, etc.).
Passwords are still passwords. Don't broadcast them on the same machines that require them. That's pointless. Don't whiteboard them at all. RAF places having them written clearly on bulletin boards? You're idiots. Distribute an internal email/memo to those who need them instead.
If you need to publicly advertise the password, you are effectively making that account unpassworded. That might even be a sensible alternative (if you can only access from the intranet anyway, and have to be logged in to do that, and it's just a hassle of yet-another-password). But you do have to consider that.
UK Data Protection basically says nothing that you can't write passwords down. But they have to be given only to those with need for them to carry out their duties. As such, writing them in a personal book or a memo in your (hopefully passcoded) phone is fine. Putting them on a noticeboard is not.
Don't put authentication into systems that don't need it. It looks to me as if that's a username/password combo for routing the appropriate signalling information to that particular workstation. That is, the signalman for that area always goes to that workstation, rather than the signals following the user to whatever workstation he logs in at.
If that's the desired configuration it shouldn't require the user to enter it at all!
"Surely the lesson to learn is:
DON'T PUT PASSWORDS ON HUGE DISPLAYS ATTACHED TO THE COMPUTERS THAT NEED THEM."
No; you're wrong and the AC is right; the lesson to learn is:
"DON'T SHARE PASSWORDS" and "DON'T DESIGN SYSTEMS THAT REQUIRE SHARED PASSWORDS".
As soon as password communication becomes "normal" to users, then there is no password security. You also have no audit-ability, so if something goes wrong you can't trace it back to the user who transacted it, unless they own up.
Reg_hack@elreg.co.uk to TFL_bigwig@tfl.com: Hey, you broadcast your passwords to all and sundrie last night, were you aware?
TFL-bigwig: autoresponse: I have very important champagne breakfast meetings with suppliers and lobbyists until 10am, I'll read my emails then
TFL_bigwig to TFL_minions: some hackers at the registrar know our passwords. please change them and write them down for the nightshift.
TFL_minions: we don't have those fancy printers to make those password labels anymore due to budget cuts, what should we do?
TFL_bigwig: I don't know, just cross out the "1" at the end. Just sort it and stop coming to me with problems. I want solutions!
TFL_minions: we've changed the password from "Password1" to "Password," please distribute to those who need it
TFL_bigwig to TFL_all_employees: the new password is "Password"
TFL_bigwig to TFL_renumeration: I've hit my data security target 3 months early, make sure my bonus reflects my outstanding performance. P.S. You're all invited for celebratory champagne at spearmint rhinos later this evening.
My job/company involves working with highly sensitive client data. Stuff industrial espionage, hacking and other illegal activities are committed for. The main account for the mechanics/spannermonkeys around here to access work instuctions has it's username and password clearly written out on a large sticker stuck to the front of the PC. Access to the space is not that secure to say the least...
Its a generic login to a system access controlled by physical security. The username / password security isn't implemented in any (that I know of) signal boxes, hence the default user / password is printed onto long lasting tape on the top of the monitor (it's not a post-it or similar put there by the signaler). Stop making up problems that don't exist.
Lots of use cases for generic logins if the apps are designed for turnkey use and have transactional authentication and it DOES NOT MATTER what Windows profile is being used.
I bang my head on my virtual desk when people forget that this use case exists. If a time sensitive system that a lot of people need instant access to, requires users to log into Windows, wait 3 minutes for the desktop to appear, then 15 seconds for the app to start up, just so they can perform a 5 second transaction in it before doing a full Windows logout that is a 200 second turnaround for a 5 second action. Not clever at all.
And the exact same principle applies for real time safety monitoring systems on the railways. What do you want - a 2 minute handover at shift change where no bugger can see what's happening on the track because some numpty thinks the ability to have persistent mapped drives on a user-by-user basis is so important that they impose unique logons where there's bugger all point to them?
There's a good reason why cashpoints don't require full Windows login and logout for every different person in the queue.
This post has been deleted by its author
I've seen that application open at Waterloo one or two other locations - it looks like a realtime display of the status of the points and signals. The buttons on the application have the fairly distinctive oval styling (rounded ends) of the Open Look intrinsics, which places the app at something like 20-25 years old, probably running on Solaris.
If only this was real news...
The app shown on the screens is simply a real-time display of the approaches to Waterloo. It is on a completely isolated intranet with no external connectivity other than inbound feeds from various Network Rail systems. It has no control over any signalling or train movements.
Also, the problem yesterday was a dislodged conductor rail on the Southern network into Victoria - completely unrelated to SWT, which goes into Waterloo.
Sadly, knowing the username and password won't do you any good unless you happen to work for SWT and have access to their Intranet.
Nice try though :)
This is a bit of a non-story, really. First of all, that workstation does not control signalling, it is merely an information display with no control over trains or signals whatsoever. Second of all you'd need to be at a workstation on the local network to use that login, so you'd have to physically gain access to the London Waterloo office to use it.
Best practice? No. Dangerous? No.
That could just be the name and password of a local account for that particular PC, and the account only exists to restrict access away from administrator functions on that machine for general users.
In other words, it could be utterly useless, unless you have physical access to that PC, and if someone has physical access to that machine who shouldn't, you've probably got bigger problems.
Or, the labels could just tell people which password is in use - the password not being "Password1", but the first password in rotation.
It's easy to jump to conclusions without considering all the possibilities.
Nicely timed article, for me.
There is a provincial election going on here in Alberta. I was watching the evening news yesterday, where they had an article about some of the female candidates. In one HQ shot, there was a whiteboard quite prominent in the background, with the note "Voicemail password" followed by something I couldn't catch.
I laughed, and thought briefly about calling the station to inform the reporter to inform the candidate's office,... but quickly forgot about it.
I wonder if there will be a news item this evening about that candidate having voicemail problems? Nah!
Surely unless this is an account which needs remote access, the broadcast of the PW isnt a problem? If someone breaks in to sit a machine and log in, they've got other security failures to worry about.
And as others have pointed out, the fact it seems to be a shared / generic password means its kind of pointless. So the news here should be "idiots designed IT system" not users posted password.
Or maybe... if you are in the station near the control room you can pickup a suitable WIFI network...
I know of at least one major ISP that propagates 172.16-31.x.x data packets both in and out of their customers equipment...... and I have seen where a DNS server on 172.18.33.x in another customers equipment is used to service DNS requests on 172.18.66.x in a secondary installation.
Yes it won't work once the IP address is allocated (depending on the subnet mask), but you target this stuff a bit at a time and there are 'loop holes' in the most unexpected of places.
May I suggest the real question is this: how on earth do such organisations pass their infosec audits?? Do none of the auditors at any of these companies ever notice the passwords in plain view? Or do the operators do a quick clean up before the auditors arrive? Either way, here's yet more proof that security audit is a sick joke. And that security practices aren't worth the paper they're printed on. Security isn't what people think it is. Instead of meticulous processes and hawk-eyed inspections, it's just mediocrity and theatrics. Security isn't secure.
can set your own password and you can't come up with a nenorable one, regardless of demands, then you're a fucking idiot.
The 2nd crazy cow jumps highest out of ten.
T2ndccjhof10 , 11, 12, so on with each rolling change. Better than nothing and unforgettable. Unless it's a shared terminal with the same login but centrally set password, and you use lots of them, then.... Ah fuck. You know what, people will never learn, so fuck em.
Biting the hand that feeds IT © 1998–2022