back to article CEO arranged his own cybersecurity, with predictable results

It’s the last Friday of 2023, but because the need for tech support never goes away neither does On Call, The Register’s Friday column in which readers share their tales of being asked to fix the unfeasible, in circumstances that are often indefensible. This week, meet a reader we will Regomize as “Jack” who told us he was a …

  1. Anonymous Coward
    Anonymous Coward

    Customers are the security liability

    Worked with a CxO customer who through stupidity and ignorance kept doing things that compromised their security, he was the companies biggest liability, he on one memorable occasion lost his laptop but taped to the underside were the passwords to the applications he used along with the laptop username and password. Did not disclose this at the time of reporting the theft about a week after it was actually stolen (From a pub, but of course). So we had activity of the systems that were via the stolen laptop, some key data deleted and various other issues, luckily for us the laptop seemed not to have fallen into the hands of someone who could have really done some damage. The CxO of course blamed IT as the systems should be secure against this type of thing even after telling us he had the account and passwords taped to the bottom of the laptop.

    Fun times, thankfully he was moved one about a year later as he stupidity caught up with him.

    1. John Riddoch

      Re: Customers are the security liability

      Humans are the weak point in most company's security because they're fallible and prone to try and help. Just yesterday, El Reg reported that attackers just needed a "10-minute call with the help desk" to break in.

      Various companies are now working on this, with education for staff on how to not be an idiot, test phishing emails etc and people still fall for it.

      1. The Oncoming Scorn Silver badge
        Pint

        Re: Customers are the security liability

        I get these e-mails from the client side & my employers.

        The only one (It was the first time they had given me a fake email test) that gave me real concern was allegedly speeding on site (Through roadworks on site), the link given was so fake looking it was unreal.

        I then did a search of the URL & discovered it was the US equivalent of the DVLA & it was the crappiest unprofessional URL for a Govt Agency I have ever seen & apart from a character change or two you would be hard pressed to tell the difference between the one received, I hit the Phishing attempt reporting tool as I hadn't been in the US for five years much less driving my current vehicle.

        One I clicked the reply to in error & was rewarded with a GOTCHA.

        The rest have been too well phrased\implausible to be genuine attempts, including one on the run up to Christmas was "a family member has sent you a e-greetings Christmas card" which as no family member has either of my works email addresses &\or spoken to me in 5 years made it really easy to spot (Along with the fact they used my middle name instead of of surname.

        I got a txt tonight from my bank (Correct as it happened) with a tinyurl link advising me there was a critical alert on my account, which was ignored.

        Icon Friday Beer O'Clock\NYE - Maybe my last post of the year so Happy New Year Commentards Everywhere.

        1. KittenHuffer Silver badge

          Re: Customers are the security liability

          My favourite turned out to be from the company that I was working for, that ticked more than half of the 'signs of phishing' listed in the email that they had sent out the previous day. I had great joy in clicking the 'Report Phishing' button for that email.

          1. Doctor Syntax Silver badge

            Re: Customers are the security liability

            The emails purporting from your bank that tick all - not just half - the phishing email boxes usually are from your bank.

            1. Eclectic Man Silver badge

              Re: Customers are the security liability

              What about the one I just received from 'No Reply Scam Protect Mailbox'? It refers to the 'recent' report I made to ActionFraud about a fraudulent attack on an account of mine, that I made THREE YEARS ago.

              It says it is from Thames Valley Police.

              1. David 132 Silver badge
                Happy

                Re: Customers are the security liability

                Definitely a scam.

                There's no way that Thames Valley Police would respond that quickly.

                1. Blogitus Maximus

                  Re: Customers are the security liability

                  "There's no way that Thames Valley Police would respond."

                  FTFY.

            2. Terry 6 Silver badge

              Re: Customers are the security liability

              This pisses me off so much. Banks, insurance (and energy ) marketing departments that send out emails with a "Click here to go to your account's log in page where you can enter your password and stuff into those oh so convenient boxes".

              Genuine ( usually) emails from the bank's email address ( or worse from an entity representing the company) that do as they say they will. But seem tailor made to train users to click on unsafe links!

              1. Doctor Syntax Silver badge

                Re: Customers are the security liability

                "But seem tailor made to train users to click on unsafe links!"

                And there are very few banks and building societies that will listen when you try to tell them that, even if you raise the matter at an AGM.

              2. vcragain

                Re: Customers are the security liability

                Whenever I get an email from my 'bank' or similar suspect location i immediately delete the email & go to the actual site via my usual link & log in to see what the issue is- IF ANY - usually there isn't one !!! Solved ! NEVER click on links sent to you from any place where you know your info is stored - just go to their real page & check it out if you don't actually have your own link - look them up with a SEARCH. This business is getting far too messy to trust any email's contents IMO !

        2. Antron Argaiv Silver badge

          Re: Customers are the security liability

          My company has hired somebody to send these. I spent some time looking thru the email header until I found the domain name being used to send them, created a custom rule to delete anything coming from that domain and Bob, as they say, is your uncle.

          I don't have time to play their silly games.

          1. Robert Carnegie Silver badge

            Re: Customers are the security liability

            I don't know that I agree with what you've done, It is an important staff training process.

            If I was running this, I'd consider validating that the fake spam reaches you and you recognise it as suspicious using your eyeballs. And I want to know if not, why not.

            I also will use the same domain to organise Secret Santa.

            1. Not Yb Bronze badge

              Re: Customers are the security liability

              If you can validate that the fake spam reaches your employee, there's a very good chance that real spammers can as well. You need to close threat surfaces if possible, not open them on purpose.

              1. Robert Carnegie Silver badge

                Re: Customers are the security liability

                What I'm thinking is that as the white-hat sender of fake phishing spam, I would be requiring users to recognise and report it, not just to block it. Especially if my spam was the only phishing that they managed to block.

                The enterprise should block phishing spam as far as it's practical to do that. But with that in place, white-hat phishing spam is needed so that users do expect to see messages that are timewasting or worse, and to treat them appropriately. Otherwise, any real phishing which does get through is more likely to catch victims.

        3. Headley_Grange Silver badge

          Re: Customers are the security liability

          HMRC used to to do that. Their main website is a .gov.uk but documentation used to come from a US .com organization's address in an email with hallmarks of phishing.

      2. An_Old_Dog Silver badge
        Facepalm

        Re: Customers are the security liability

        Back in the 1990s, a work mate told me in his previous admin/security job at a university, he had sent an organization-wide email with an executable attachment, which he'd written and compiled.

        The executable merely logged the userid, machine ID, MAC address, IP, date, and time it was executed, to a text file on the network.

        The email contained a warning: "Do not run the attached file."

        Roughly 80% of the people, including the CIO, ran the attachment.

        1. keithpeter Silver badge
          Childcatcher

          Re: Customers are the security liability

          Interesting. Can you remember what the recipients had to do to 'run' the attachment?

          1. phuzz Silver badge

            Re: Customers are the security liability

            In the 90's it wouldn't have been much harder than, download the attachment and double-click.

            1. Anonymous Coward
              Anonymous Coward

              Re: Customers are the security liability

              probably wouldn't even be necessary to download it, depending on the client. They would open it natively from inside!

              1. keithpeter Silver badge
                Childcatcher

                Re: Customers are the security liability

                Which was my point.

                Unless the original email's subject line said something like 'don't open this email' you can't really extract any moral from the statistics supplied by the post to which I replied.

                1. doublelayer Silver badge

                  Re: Customers are the security liability

                  It wouldn't have happened automatically, but it would have been easy to open. I'm not sure about others' workflows, but I read the message before opening the attachments, mostly because there's a chance that the message will tell me that I don't need to bother with that file so opening it is a waste of time, but also to detect risks with the file. If others weren't doing that, suggesting that they might want to read the message first is not a bad plan.

                2. Doctor Syntax Silver badge

                  Re: Customers are the security liability

                  There is indeed a morale to be extracted - the fact that the email client, or at least its configuration, is dangerous in its own right. But did the who ran the test follow it up by mandating a safe client/configurations?

              2. David 132 Silver badge
                Coat

                Re: Customers are the security liability

                They would open it natively from inside!

                That 't' is optional!

        2. CowHorseFrog Silver badge

          Re: Customers are the security liability

          Why the special mention of the CIO ?

          Most CxO are the dumbest people in the org, its a fraud they are given any title, especially one that implies they have any technical skills.

      3. Mike 137 Silver badge

        Re: Customers are the security liability

        "Humans are the weak point in most company's security"

        And not just front line humans. One the biggest problems is thoughtlessness at the tactical and strategic levels (i.e. by the execs and managers who make the rules and take the decisions). For example, from this article "a WhatsApp group used as an incident management tool" -- your incident response comms must be out of band (off the network), otherwise an active adversary can snoop on them and counter your planned countermeasures.

        It's always those at the bottom of the hierarchy that get landed with the blame, but for the most part it's defective planning and provisioning that underlies the breach -- the human element primarily being inadequate training (common), unclear or irrelevant policies (very common), relying on human action where technical controls could be used effectively instead (very common indeed).

        Until infosec is treated by the Board as seriously as finance management there's no improvement possible, as corporate culture, and consequently performance, is driven from the top.

      4. Yet Another Anonymous coward Silver badge

        Re: Customers are the security liability

        >attackers just needed a "10-minute call with the help desk

        That's where our corporate overlords win.

        To access the help desk you to be on the secure intranet site. To access the secure internal site you need a security token. Instructions to obtain the token are on the secure internal site.

        If you have any problems just raise a ticket, on the secure intranet page.

        1. Doctor Syntax Silver badge

          Re: Customers are the security liability

          This was a company providing security services to their clients, other companies. Their help-desk would have to be able to take external calls supposedly from their clients. It makes the attack surface bigger. That should factor into decision making by both company and potential clients.

        2. BobTheIntern

          Re: Customers are the security liability

          And don't forget enroll a 2FA token into your favorite authenticator app from the 2FA Enrollment Portal which requires you log in first with your username, password, and a valid 2FA response.

      5. MOH

        Re: Customers are the security liability

        Last company I sent for kept sending those really obvious phishing messages, along with appallingly bad legit internal comms which view all the hallmarks of phishing.

        My favourite was the one with poorly phrased English that told me I urgently had to fill in a form to supply the CISO with my contact details or I'd lose my remote access.

        Which I naturally reported as phishing to the CISO team, who ignored the report. Eventually turned out to be legit.

        I'd you're training users to respond to mails like these, there's no point wasting money on phishing training

        1. Doctor Syntax Silver badge

          Re: Customers are the security liability

          Especially if the reports are ignored.

      6. Yes Me Silver badge
        Headmaster

        Re: Customers are the security liability

        "education for staff on how to not be an idiot"

        I'm sorry, I'm too stupid to understand that phrase. I've done a fair amount of teaching in my life, and both my parents were schoolteachers, and I can safely say that none of us ever successfully taught somebody how to not be an idiot.

        1. Jou (Mxyzptlk) Silver badge
          Devil

          Re: Customers are the security liability

          I hope you and your parents did not teach how to be an idiot either!

      7. GuldenNL

        Re: Customers are the security liability

        Not two weeks before one of 2023's most sensational malware events started, I pitched voice bioauthentication to the customer. And as I tend to do, suggested a PoC using their Help Desk since it involves only internal customers and the numbers are much lower.

        "Too expensive! Yes, the PoC is very cheap, but who needs this for their Help Desk?"

        I immediately moved on given the dysfunctional management at said customer. The rest is history. They still grumble about the cost (which really isn't that much) even though they are very well aware of the cost of leaving themselves unprotected.

        1. Killfalcon

          Re: Customers are the security liability

          Voice bioauthentication for a helpdesk sounds challenging, TBH. Getting the valid auth samples in the first place is going to be a major endevour, and then how do you deal with the audio quality issues that come from phone lines/potentially poor quality mics, compression, etc?

      8. a pressbutton

        Re: Customers are the security liability

        "Various companies are now working on this"

        ...in my experience by simply not answering the phone.

    2. lglethal Silver badge
      Trollface

      Re: Customers are the security liability

      A friend of mine who worked at a bank relatively high up in the IT department told me a story once.

      This was back in the 90's when Phishing was just starting to take off. The IT department of the Bank sent out an email to all customers, basically warning them about Phishing and saying that the bank would never contact them asking them to click on a link to go to the bank website, and that all emails would include the users name as an additional security feature.

      What did Marketing do the very next Day? Send out an email to every customer directing them to go to the bank website and input their login details. Apparently there was one hell of a fight at the C-Suite between the heads of Marketing and IT when that was discovered.

      1. disgruntled yank Silver badge

        Re: Customers are the security liability

        Marketing: Shortly after my employer signed up with KnowBe4, a building-wide email went out for an umbrella organization for charitable giving. The domain name did not match the organization name (not well, anyway), and WhoIs was not forthcoming with domain ownership. I thought it was real phishing, not KnowBe4, because the quality of the clickable link was a step up. It was later in the day that I managed to find out that this email was legitimate. But it certainly looked like phishing.

      2. Yet Another Anonymous coward Silver badge

        Re: Customers are the security liability

        Our dear leaders sent out a fairly good phishing email with a login to a fake O365.

        I reported it and got told it was a test and I was a good little minion for not clicking. I also suggested that they have an address to forward these so they can be blocked.

        A week later a commandment came down that we were all to install a 'report phising' button by downloading and running a chrome extension from some 3rd party site and granting it all these permissions.

        1. AustinTX

          Re: Customers are the security liability

          In places i've worked, this "Report Email" button was either preinstalled or 'pushed' in with an update. Much better way to do it. ;)

        2. This post has been deleted by its author

      3. Terry 6 Silver badge
        Flame

        Re: Customers are the security liability

        Yet it still fucking happens!!!!!!!

        (See previous - I still get them pretty often).

        1. Doctor Syntax Silver badge

          Re: Customers are the security liability

          I solved this in relation to my bank long time ago. I set up a specific email address for any business or group with whom I might have dealings on a long term basis including my bank. I kept reporting the apparent phishing to their report phising address without receiving a reply. Eventually i sent them an email asking if the reports were genuine and if they didn't reply I'd cancel the email address. They didn't so I did. For years now any emails they sent to me will have been bounding. They haven't tried contacting me by any other means to ask about this which I take to signify that they have never used email for any transactional purposes at all - they only use it for marketing and probably by 3rd party spamming commercial email marketing spamming companies.

    3. Mark 85

      Re: Customers are the security liability

      These things prove that a little knowledge is a very dangerous thing. Mose of those up high think they're smarter than the rest of the staff and end up making more problems thqn they solve. I'm of the belief that board members shoiuld only have something like a fake laptop that doesn't do much except read news and play games.

      1. Yet Another Anonymous coward Silver badge

        Re: Customers are the security liability

        A special red one that you shake to reset ?

        1. Montreal Sean

          Re: Customers are the security liability

          Those shake to reset red ones have too many knobs for board members.

      2. Robert Carnegie Silver badge

        Re: Customers are the security liability

        I'm not sure if you want to make board members nonfunctional - which seems to save money if you don't need to have a board, but it leaves you with your CEO or president without controls on their behaviour - or if you just want to airgap the board from anything technological. Then you have a manageable expense of each board person having a PA employed to print their e-mails and type their replies. But that raises again the question of whether the board members themselves are required.

    4. Version 1.0 Silver badge
      Unhappy

      Re: Customers are the security liability

      At a corporate level it seems that security issues are very profitable, forcing all users to buy new computers and upgrade operating systems ... and at a corporate level a new cybersecurity issue will result in new updates and profitability. Creating a 100% secure environment would reduce corporate profits.

  2. trevorde Silver badge

    PostIt Note Security

    Developed one company's design software where the boss insisted on it being password protected because "Our competitors desperately want to get their hands on it". The password changed every month & he only ever doled out 3 months worth at a time. Apart from being trivially easy to defeat, all the engineers kept the passwords on a PostIt note on their monitors.

    1. lglethal Silver badge
      Go

      Re: PostIt Note Security

      Assuming your a firm with locked premises and we're not taking areas where customers/suppliers/or the competition regularly walk through, I dont really have a problem with using Post-it note reminders. Maybe not the entire password but if it's something like "B_101" to remind them of their 15 digit password, than that's fine. Also usernames should not be on the Post-it at the same time obviously.

      If someone is in your premise, and with enough time alone to take note of passwords on post-it notes then you have bigger security problems than just having the odd password stolen...

      1. MiguelC Silver badge
        Facepalm

        Re: PostIt Note Security

        Just be careful when the TV crew comes to the premises for an interview

        1. David 132 Silver badge
          Pint

          Re: PostIt Note Security

          Bwahahaha those are absolutely hilarious. Have a pint for brightening my gloomy post-Yuletide afternoon!

      2. J. Cook Silver badge
        Trollface

        Shameful confession time:

        I have a post-it note on the bottom of my keyboard at work.

        It says "bet you thought there was a password here, huh?"

        1. Mark #255
          Coat

          Re: Shameful confession time:

          For bonus points, "bet you thought there was a password here, huh?" is could be your pass-phrase.

          1. Jou (Mxyzptlk) Silver badge

            Re: Shameful confession time:

            That password does tick the "OK complex enough" mark for me. And Keepass says: About 155 bits of value. Probably due to punctuation. Simply adding: "I " upgrades it to 168 bits since it is a capital letter.

          2. Yet Another Anonymous coward Silver badge

            Re: Shameful confession time:

            So the best passwd is the keyboard serial number ?

            It's long, random, written down so you wont forget it and nobody looking under your keyboard is goign to suspect it's your passwd !

            1. Stork

              Re: Shameful confession time:

              I once used my monitor model as pw - right there in front of me, fitted the criteria.

              1. Anonymous Coward
                Anonymous Coward

                Re: Shameful confession time:

                > I once used my monitor model as pw - right there in front of me, fitted the criteria.

                next week's On Call features a user who couldn't log in after IT upgraded his monitor?

          3. Doctor Syntax Silver badge

            Re: Shameful confession time:

            No, it's his user ID. The password is Passw0rd.

          4. Robert Carnegie Silver badge

            Re: Shameful confession time:

            I like passwords that can be typed, but not that one.

            For instance, if use of a punctuation mark is enforced, then: mxyz comma ptlk

            Although of course the password censor doesn't have a sense of humour. So that one won't pass.

            Otherwise, I recommend not being imaginative with your password punctuation mark. Be imaginative, or ideally random, with the letters. A punctuation character that is even slightly exotic - that either is unfamiliar in the United States, or is in a different place on the U.S. keyboard and on yours - is liable to be misread or lost when you input it. A symbol that has a special meaning in a data file or an internet protocol, such as $ and #, also may be swallowed. Even ' risks calling up the spirit of Bobby Tables. Use this junk only if you are mandated to use the corporate password generator, and may /ˈbjɑːrnə ˈstrɒvstrʊp/; have mercy on you.

            I myself use $CHAR1 whenever a password demands a punctuation mark, except for a few systems which apparently regard $CHAR1 as not a punctuation mark, and in those cases I use $CHAR2. And a box of dice which I have altered to produce numbers 0/1/2, 0/3/6, and 0/9/18, when a new password is required. (Away from home, I use a "fidget spinner" with equivalent modification. This means that setting the password is s potentially relaxing break of dome minutes from screen work, but a time of mental arithmetic instead. I suppose I could use spreadsheet software for the arithmetic.

            1. Jou (Mxyzptlk) Silver badge

              Re: Shameful confession time:

              > For instance, if use of a punctuation mark is enforced, then: mxyz comma ptlk

              Which is a password I don't use, anywhere :D. With or without comman. Mr. Mxyzptlk is known too well. And, it contains "xyz", which is forbidden in some companies since these are three consecutive characters.

            2. Yet Another Anonymous coward Silver badge

              Re: Shameful confession time:

              >or is in a different place on the U.S. keyboard

              Special award for the RPI that prompts for a password at the start of install, then asks for the keyboard layout later....

              1. Jou (Mxyzptlk) Silver badge

                Re: Shameful confession time:

                > RPI

                What is RPI? Probably Raspberry Pi, but why capital "I" at the end? With capital "I" it is, for example, "Rockwell Protocol Interface" or "Remote Programming Interface" or "Remote Process Interface" or "Read Property Instruction" or "Relay Position Indicator" or "Requested Packet Interval" or.... And my list only contains those related to computers, and even with that restriction it is incomplete...

                1. Robert Carnegie Silver badge

                  Re: Shameful confession time:

                  I don't have one, but a quick Google implies that officially or unofficially, "Raspberry Pi" is commonly abbreviated to "RPi", with a lower case i favoured, probably because it's a bit silly to abbreviate "Pi". At the moment in my head it's pronounced "are pie", but all this may be wrong.

      3. M.V. Lipvig Silver badge

        Re: PostIt Note Security

        Nope, not doing it. I have to use some 50-60 different applications (and we just acquired a new network so, joy of joys, another half dozen coming) to do my job, which all have different userIDs and passwords. All the passwords look like keyboard vomit, as words found in a dictionary are not allowed. And, every couple of months they all must be changed and can't closely match anything I've used in the last umpteen years. It's a small blessing that none of the systems can compare notes on what I've used before on other systems so I can at least reuse on the ones that follow close enough formats.

        There's no way in Hell I can remember all that, so I keep them all nicely organized on a notepad on my laptop so I can cut and paste when needed. And, I've resorted to using keyboard patterns to come up with suitable jumble. The pattern I'm using just shifts one row over at each reset, and I can space rows to run the patterns again, which should last me through retirement. And, if someone steals my laptop, they'll have the keys to the kingdom because our Infosec department thinks making my life harder proves their worth. God forbid they should do their jobs and work out a unified password access system. Remembering a single username and complicated password that I have to enter a thousand times a day would be easier to memorize than the mess I have to deal with now.

        1. Jou (Mxyzptlk) Silver badge

          Re: PostIt Note Security

          > on a notepad on my laptop so I can cut and paste

          1. I hope bitlocker encrypted drive, even if you don't have to enter a startup password.

          2. That is the worst. Use at least keepass. Any audit will make a big alarm, so change that as soon as possible. Don't forget to copy the keepass database to your network drive as backup.

          3. "cut" and paste? So all your passwords stored in notepad are one time use only?

          As for the rest: We all have to do this, in our company, on our customers companies (well most of them), the C-suite, the admins, the users. With even more complex password rules than you, enforced via extra tool connected to AD. Hell the admins, depending on the needs, even have three different admin accounts within the AD: Domain admin separate from Specific-roles Admin (for a few servers) separate from client admin. And don't you dare to use your domain admin on a server or client you should not, 'cause I implemented the audit-scan-script to check for those, which means the account is burned due to "hash stored on a device it should not be stored on" - even if NTLMv1 hash is forbidden.

          1. Doctor Syntax Silver badge

            Keepass

            Seconded, including database backup. If you can't remember one good pass-phrase for Keepass you have more problems than IT security.

            1. M.V. Lipvig Silver badge

              Re: Keepass

              Yes, I believe that was the gist of my rant - no centralized password system for the company. I have to work in their framework, with no recourse to anything else. And, I'm paid to fix circuits, not make IT decisions, so I do what I can to make my job as easy as possible. This means keeping my passwords on an insecure notepad on my computer desktop. This lets me spend more time fixing circuits and less time faffing about with IT's systemic security failures. If IT Security doesn't like it, they can institute a centralized password system that lets me log into anything I have access to with a single password.

              1. Jou (Mxyzptlk) Silver badge

                Re: Keepass

                > I'm paid to ....

                "only do what I am told to do and not the tiniest step beyond."

                Either your mindset is a perfect fit for the company, or it is time to move. Don't forget to give us an update when your IT takes notice, and how long it took (or how long you stayed there, whichever comes first).

              2. Robert Carnegie Silver badge

                Re: Keepass

                You could use an encrypted zip file at least. However, plain zip encryption is broken, insecure because defeated. Still, it discourages no -technical snoopers. Also, to deflect suspicion, be sure to disguise the file as pornography.

                Fetish pornography. No one wants to see anyone else's. Bonus if your spouse resembles a hobbit anyway. Remember they are pipe smokers, including women presumably.

                As others have commented, you probably meant password "copy and paste" unless you remind yourself to change a password after, say, 60 days by pasting 60 copies of it in the file to start with.

                Remember to print your file of passwords in a font that lets you tell letters and numbers apart, tricky ones like l I | 8 B 5 S.

              3. Killfalcon

                Re: Keepass

                If you have microsoft OneNote installed, you can put a password on a Page, so you can at least protect your big list of passwords a little.

                1. Terry 6 Silver badge

                  Re: Keepass

                  In Onenote you can encrypt pages.Which gives you a place to keep a secure list of passwords.

          2. M.V. Lipvig Silver badge

            Re: PostIt Note Security

            No, I store them on my PC on notepad. Passwords are good for 3 months before requiring a change, for the most part.

        2. bemusedHorseman
          FAIL

          Re: PostIt Note Security

          "and can't closely match anything I've used in the last umpteen years"

          That's the part that's always rubbed me the wrong way about "password cannot be similar to a previous one". It means that to check that, they have to store your password in plaintext (or at minimum, reversibly encrypted). It should not be possible to check if a password is "similar to" an old one if you're actually hashing properly.

          The only thing worse is when they set a maximum length limit on the password, especially if it's "no longer than sixteen characters" specifically. You just know that really is being stored plaintext, because if it was being hashed in any way, hashes are always the same length for a given algo, so the database could be set for CHAR(24) exactly instead of VARCHAR(16)...

          1. ibmalone

            Re: PostIt Note Security

            It means that to check that, they have to store your password in plaintext (or at minimum, reversibly encrypted). It should not be possible to check if a password is "similar to" an old one if you're actually hashing properly.

            This one used to bug me too, although it is technically possible if you generate and hash the variants at the time of first entry (or if you want to retrofit, I suppose at subsequent successful logins, same as updating hash algorithm without requiring a new password). Not sure how salts would be best handled. However it does seem like this should make cracking easier (only need to match one of the variants and then use the variant rules unitl you hit the right match). Am I sure the places that require this implement it that way?

            The maximum password length one makes me wonder if we worked for the same UK HE institution. Mine don't have it any more, think it might have been linked to old Windows password formats.

      4. Headley_Grange Silver badge

        Re: PostIt Note Security

        "..then you have bigger security problems than just having the odd password stolen.."

        Nope - your biggest problem is that you've got people working for you who don't take even the most basic rules of security seriously.

      5. tiggity Silver badge

        Re: PostIt Note Security

        "If someone is in your premise, and with enough time alone to take note of passwords on post-it notes then you have bigger security problems than just having the odd password stolen..."

        You are aware it's not an unheard of practice in high value targets to either temporarily get an accomplice into the office cleaning teams for the target & get any "post it" visibility creds , or bribe one (or more) of the existing cleaners for any juicy info.

        Publicly available creds (be it on post its, in a drawer*, sellotaped to machine or keyboard, etc. must be assumed compromised)

        * irrelevant if drawer locked, most office furniture locks are so poor the contents of the drawer are no more secure than something left on the desk.

    2. Jou (Mxyzptlk) Silver badge

      Re: PostIt Note Security

      That is more secure than a bad password. Though the best place is below the keyboard or within the closest drawer, not visible from outside. Though an ISO audit will alarm, since that is one of the things they look out for (albeit often missing other obvious stuff).

      1. Doctor Syntax Silver badge

        Re: PostIt Note Security

        Use a password manager, not hard copy.

    3. gnasher729 Silver badge

      Re: PostIt Note Security

      In the USA, any password protection that you break means you are in breach of the DMCA, which may give your company access to higher damages. However, changing the password every month is not needed for that.

  3. Bebu
    Childcatcher

    A Bit Puzzled?

    I would have thought all service providers including security thespians, would have drafted watertight service level agreements (SLA) that basically relieved them of all responsibility for anything after such a reckless and thoughtless act while still entitled to, enforceably, the compensation agreed in the service contract.

    You break it, you get to keep the pieces but you must still pay for it.

    If the the CEO in this story wasn't specifically (formally) authorized to access these IT resources __OR__ such access was not a part of his role formally or customarily this CEO almost certainly breached corporate polices and very likely committed a number of criminal offenses in many jurisdictions. CEOs don't hold unplanned and unannounced fire drills off their own bat without consultation. Presumably even their impenetrable skulls appreciate that if they managed to survive defenestration by irate Firies*, those CEOs would also be criminally responsible any other resulting deaths and injuries.

    *en_AU firey/firies= firefighter(s)

    1. Robert Carnegie Silver badge

      Re: A Bit Puzzled?

      A CEO probably authorises anything that they like. The question I'd ask is whether anything on the network was compromised besides the CEO's own PC, if they used that for the penetration, or the outsider device plugged into the network. Arguably an outsider device should simply be not allowed to communicate, but apparently, this network wasn't that secure. If it was, you probably also need 3 months to set up a network port for a new member of staff.

      Regardless, I like to imagine the internal IT staff smashing the CEO's computer with sledgehammers as instructed by our hero, in front of the CEO, keyboard and all, and THEN asking the questions. They probably didn't do that, but I like to imagine it.

  4. ColinPa Silver badge

    Christmas party

    At a conference someone was saying he was did security penetration tests, and had spent a week just before Christmas at a government installation teaching the basics ... don't put your password in your laptop bag, don't leave your laptop in an unsecure area etc. It was the work's Christmas Lunch on the Friday, so he squashed the remainder of his work into Friday morning, and went along to the lunch in the pub with them.

    After a few hours, he got the bar staff to pick up all of the laptop bags lying around and put them in a storage room. He then put the (ten) laptops in his car and went home for the weekend, and waited for the call.

    He went back on Monday "to collect something" and found the group were in headless chicken mode.

    He got called into the irate senior manager to "discuss it" who eventually saw sense and said thank you (and could he have his laptop back please)

    1. Neil Barnes Silver badge
      FAIL

      Re: Christmas party

      I have received a laptop, previously used by me, shipped internationally. The manager had changed the passwords when I stopped using the laptop (good) and thoughtfully stickynoted the new password to the bottom of the laptop (not so good)...

      1. John Brown (no body) Silver badge

        Re: Christmas party

        Next time, "for security", he'll send the password separately, on a postcard :-)

    2. Robert Carnegie Silver badge

      Re: Christmas party

      I wonder how many of the laptops actually came back. If I was a bar worker, this sounds like an opportunity. It's not an opportunity that I'd take, although I am thinking about a new laptop.

    3. justjosephhere

      Re: Christmas party

      I applaud the "learning experience" that you so practically provided to your clients! A decade ago, when I was a contracted Systems Admin, I took advantage of such serendipitous opportunities to drive home the concept that employees are the first-line defenders of the boss's Network. Fortunately, my client (the Boss) had a sense of humor too. The "victimized employees were a great example for the others. My sense of practical humor wasn't well appreciated but the lessons were well remembered.

  5. Alan J. Wylie

    Unannounced security tests

    At a couple of my previous places of employment, there have been unannounced (even to me, as a senior security engineer) phishing tests. It puts me on the horns of a dilemma. Do I

    1) Get to my feet and loudly announce to the office "Beware - a phishing e-mail has just arrived", ruining the test, or

    2) Stay quiet and run the risk of the less aware staff compromising security.

    1. Khaptain Silver badge

      Re: Unannounced security tests

      Stay quiet, as the results are important in order that everyone learns by example.

      1. Mike Pellatt

        Re: Unannounced security tests

        That's not the purpose of a test phishing campaign. It's to measure the effectiveness of the org's awareness and training policies and procedures.

        In that context, I'd expect alerting colleagues to a clearly targeted attack to be part of good security processes.

        1. doublelayer Silver badge

          Re: Unannounced security tests

          If you know for certain that it is a test, then you also know that there isn't a risk to security if someone clicks on it. Not telling them means that the test is better, because it tells you what things would look like if they were the only or first person to get this message. They can't always count on you having received any phishing attempt before it is sent to them, so they need their own vigilance as well as listening to you. This is why phishing tests at my company are intermittent, so if one person gets a suspicious email and asks me whether I got one as well, I will usually say no completely honestly because I did not get this one. This requires them to either test the email on their own or enlist someone like me to help them do so, which is what we want them to be doing with suspicious mails anyway.

          If you don't know that it is a test, tell everyone.

          1. Doctor Syntax Silver badge

            Re: Unannounced security tests

            "If you don't know that it is a test, tell everyone."

            So unless you sent it, tell everyone and find out who still falls for it.

            1. doublelayer Silver badge

              Re: Unannounced security tests

              If the link they're clicking on is to a phishing test provider, the one your company contracts with, you can probably take a pretty good guess that it's a phishing test. If you're not sure, you can ask whoever sends them out, and if they tell you that it is one, then you know for certain. There are ways to know that other than being the sender. If you're trying to test vigilance, it can be useful to know who will click on something when there isn't someone shouting for them not to; a real attack will not necessarily go to the users who know what they're doing. Clicking on a link even when I'm looking over your shoulder and telling you it's a bad idea is a bad sign, but someone who avoids doing that is not necessarily good enough to avoid the real risks.

              1. Robert Carnegie Silver badge

                Re: Unannounced security tests

                This implies that the best way to do phishing is by posing as a phishing test service.

                If you have a phishing report function, then report it. If you work with idiots, then announce it... that there is a sneaky evil e-mail, not the other thing.

                Create a new separate e-mail, subject line "Suspicious E Mail - Free beer for who has the best password", as a warning that the free beer offer that you received may be not sincere. Do it quickly.

                If anyone sends their password to you and demands the free beer... do whatever you dare to.

                1. doublelayer Silver badge

                  Re: Unannounced security tests

                  This kind of response is exactly why tests at my company do not go to everyone at once. Someone refraining from clicking a link because someone else specifically told them not to is not good enough. If an attacker sends them, and only them, a message, then they still need to catch it and at least ask someone who knows what they're doing. Warnings on something you know to be a test are harmful.

                  "This implies that the best way to do phishing is by posing as a phishing test service."

                  There is a reason why I said that, to be reasonably sure, you would not just check that it looks like a phishing test service, but the one that previous tests have used. And why I said that to be completely certain, you would get explicit confirmation from the team that handles reports or sends out the messages. No, it does not imply that impersonating a test service is the best way to do phishing. Unless it can successfully impersonate your test provider, it won't pass my stated requirements, and if you know enough to check those requirements, you're not going to be filling it out anyway.

                2. Jou (Mxyzptlk) Silver badge

                  Re: Unannounced security tests

                  I'd answer with the list of password we use (i.e. actually my script generates) to set expired accounts to, and then deactivate them after the password change.

                  The list will be a binary file "Zero delimited", each will be fifty characters ranging from 0x01 to 0xFF, and contains at no part more than three consecutive characters (like 111 or abc or XYZ or one of those unprintable ones) and no "known natural four or more letter word in German or English language". Also including: "Bell", "Backspace" "Escape", "CR", "LF", "Tabulator" and so on, which are a bit difficult to enter at most password prompts, even with copy paste.

                  After I got the correct amount of beer for that I would give it to all my coworkers since usually I don't drink beer.

                3. Mark White

                  Re: Unannounced security tests

                  Iinstalledapasswordmanagerandalligotwasthislousypassword

                  1. Jou (Mxyzptlk) Silver badge

                    Re: Unannounced security tests

                    Thank you, added to deny-list.

              2. TSM

                Re: Unannounced security tests

                > If the link they're clicking on is to a phishing test provider, the one your company contracts with, you can probably take a pretty good guess that it's a phishing test.

                The first one or two phishing tests our company organised were detectable this way. Since then they use a different domain for each test, and the domains have no useful whois information available to tie them back to the security company.

    2. Allan George Dyer

      Re: Unannounced security tests

      Announce loudly. Anyone who listens is still learning by example as you tell them the features that tipped you off.

      1. MiguelC Silver badge
        Happy

        Re: Unannounced security tests

        I once spoiled a test done by our security team because, as the phishing email was well crafted enough to be believable, I quickly alerted everyone that I'd received one and that they should be aware if it happened to them - which it did. I then alerted the security team and was told it was a test. My team (and others near us) passed with flying colours.

        1. AustinTX

          Re: Unannounced security tests

          I would say you really did the right thing though. Since you didn't know it was a test, you acted appropriately to protect the team and company. Unless there is a company rule that you should alert only the security team and let them manage any alerts.

  6. BinkyTheMagicPaperclip Silver badge

    A 'formal assessment of the MSSP's work'

    I'd like to know if the MSSP subsequently renewed the contract, and if not, how large the WRDLY addition was to the contract renewal.

    I still remember the moment we grew up at work, when a fussy client insisted on procedure and documentation following an issue that was very probably their own fault, rather than being more relaxed and permitting a bit of give and take.

    Their subsequent quotes were somewhat larger. Technical flannel was provided as the reason for the larger quote. The real reason is that asking for a grown up service (specification, change control, sign off, thorough testing, tracking, and documentation) attracts grown up pricing.

    1. Joe W Silver badge

      Re: A 'formal assessment of the MSSP's work'

      This is why we have very slim SLA with our partners (essentially we are all a big lump of different... let's call us companies under a big umbrella. I am the service level manager,and my power and penalties end at raising my finger and telling them to "please never do this again". I'm fine with that, provided I don't ever have to shout and rat on people....

  7. Anonymous Coward
    Anonymous Coward

    We had a client migration where we were handing things over to another IT team. First part of the migration was to transfer their o364 accounts to a new tenant.

    At this point we were still handling things like support tickets, but the email system was under the other teams control.

    We had to contact their "security provider" and tell them to ignore the results of their phishing tests. They asked why. We asked how many users were being accused of clicking phishing links...

    We had trained the users so well that every single phishing email got forwarded to us, and our process for checking suspicious links that look plausible involves clicking them...

    1. Anonymous Coward
      Anonymous Coward

      ' involves clicking them..."

      That is what Virus Total is for. Submit the link, do not click it. Also there are sites that will let you PreView the link you submit. To see those fake O365 login page without actually going to them

      1. AcornAnomaly

        How will that help in this scenario?

        Those people will still get flagged as having clicked the link.

        These tests work by generating unique URLs for each tested user, and then seeing which unique URLs get accessed.

        If ANYTHING accesses that URL, whether it's a security team member, VirusTotal, or a site previewer, that will still look like a failure to the ones running the test.

        You're not wrong that such measures can help you validate the site without having to open a potentially hostile site yourself, but the problem in this case is users being wrongly flagged as having failed a phishing test, which will still happen with your advice.

        1. Anonymous Coward
          Anonymous Coward

          we utilize KB4 for the same, they have a plugin that works with 0365 and other products (Im sure companies similar to kb4 do the same) that prevents them from going to the phishing bucket, also prevents Only these from being scanned by our other tools, so it doesn't flag the user as failing for the link being hit. it did take a little tuning.

          Every phishing test company should offer similar. If not there are others that do.

        2. Not Yb Bronze badge

          My question is "Why are you clicking on ANY link in a phishing email, for any reason whatsoever?"

          Any information, including "security accessed this URL" can help a real attacker get further in with the next attempt.

    2. Jou (Mxyzptlk) Silver badge

      > clicking them

      More details please. Like: Was it is a physically separated network, including its own internet, and there within a VM where all activity can be recorded and monitored? Not even a KVM switch, separate mouse/keyboard/monitor too?

    3. doublelayer Silver badge

      "our process for checking suspicious links that look plausible involves clicking them"

      And almost certainly telling the attacker that this address exists and has someone who clicks on links, so send some more over there. Sure, it's a lot better than if they actually got what they wanted, and I'm assuming you clicked them on a machine that didn't have any credentials to try to steal, but does the risk of sending information to the attacker about the link clicked cause any concern?

  8. Jou (Mxyzptlk) Silver badge

    "Forced" password change in a few month

    I have (not yet had) the case where one financy guye right below the C-suite refuses to change his known-too-short-and-easy-by-todays-standard password. After over a year of "indirect communication", since I am better off not contacting him directly, I did following and communicated it within a small circle of trustworthy: As domain admin I can reset the "password has been changed at date X" flag to represent current time/day even though the password was not changed. So the first step was this trick, and the second was to remove the "password never expired" flag. Which means his "password changed at date X" will time out coming February and he will be forced to do so, when nobody except for a few trustworty know how and when that was possible. The excuse is prepared: "Security Audit automatism" - which is kinda true.

    Additional note: He is the only one among a few 10-thousand, including the whole C-suite and all below, which refused to follow that policy without force or simply consistently ignored it. You gotta love active directory for its additional "msDS-UserPasswordExpiryTimeComputed" property, making my audit work so much easier.

    1. Robert Carnegie Silver badge

      Re: "Forced" password change in a few month

      Good heavens. Just find out his password, change it, and use his e-mail to send slightly unprofessional e-mails to several female colleagues. Or board members. Joke about the word "member" (for males). Also in the e-mail, tell everyone the old password is. Then, deny everything.

      A happy memory is of my sister explaining how she used her work computer, "I type commnet commnet ...oops". Her password was also "commnet" and she'd just told me. I expect she has changed it since then. In case she has not, it wasn't actually "commnet".

  9. J. Cook Silver badge
    Boffin

    So....

    one of the many hats I wear at [RedactedCo] is email admin. Which means that when I'm not having prolonged, pitched battles with the support team about Why We Keep Office and Outlook especially Up To Date, I'm occasionally assisting the InfoSec team with their phishing tests, so I (usually) have advanced notice of tests.

    Some of the ones that we've done.... are pretty clever, and have nearly caught me. Some of the other emails we've gotten (actual phishes!) are.... not so clever.

    While I'm not officially part of the InfoSec team there, I work pretty closely with them (one of my other hats is the web filter admin) and before we had a dedicated InfoSec team, a lot of the incidents landed on both my desk, and the desks of the other admins, so I have at least half a clue as how to go about things properly. :)

  10. The Oncoming Scorn Silver badge
    Pint

    OK My Last Post Was Not My Last Post Of 2023 (May Generate Downvotes)

    So at one place of work I had a number of scripts under one menu, which dealt with the day to day stuff, common password resets, emails directing them to training\HR etc, sent out my entering Username, ticket number (Manager was looked up & CC'd in in certain cases) & a few other unique details.....

    One of the tickets came in for a replacement laptop, previous one damaged\defective.

    Now we did a lot of prep with the clients credentials, settings, vendor accounts & tools in their profile, set up & configure prior to shipping & the password was requested, if they didn't provide the password it would be changed at end of business thus we provided the new password to his manager, to not change that password until the unit was shipped & here's the new password that will be set other details included was the old asset details, basically 20 odd unique things that wouldn't be known.

    So the inevitable ticket comes in from the manager, reporting a phishing attempt\suspicious e-mail. So I ring them up.

    Hi John (For that was not his name)

    Yes?

    Its Bert (For that is not my name either) from the service desk about this suspicious email.

    Yes

    Can you verify you have a staff member by the name of George Porgy (For that also was not his name) under you?

    Yes

    Can you verify you are aware he's got a broken laptop & submitted a ticket for replacement?

    Yes

    Can you verify that ticket number?

    Yes it's INC0012331

    Are all these details the same as in the e-mail you are reporting?

    Yes

    Why then do you think it's fake?

    OH!

    Icon - Another Friday beer for New Year as the case may be.

    1. Jou (Mxyzptlk) Silver badge

      Re: OK My Last Post Was Not My Last Post Of 2023 (May Generate Downvotes)

      No, you deserve an upvote. Blasting someone his inability to think into his (virtual) face in such a polite manner deserves an upvote.

  11. Turkey_Bender

    We had a developer that thought the "ILOVEYOU" virus seemed interesting, and he wanted to examine the code.

    Unfortunately, he executed it by mistake.

    But because the universe loves to punish us, he also had a drive mapped to a production volume containing thousands of photos. (yeah- things were less strict in those days)

    Took us over a week to get all the image files back from tape. (yes- tape. a different time)

    The developer was the only person who understood a key product, so he just got a slap on the wrist.

    *sigh*

    1. Robert Carnegie Silver badge

      I think that's the one that my boss thought might be a virus, so instead of opening it, he forwarded it to me to ask what I thought. Fortunately I'd already heard of it, probably from The Register. I do keep old e-mails, so maybe I still have it?

    2. collinsl Silver badge

      Tape is still routinely used for archival backup so not really a comparable timescale pointer

  12. Anonymous Coward
    Anonymous Coward

    '"African banking outfit."

    Noticed "African banking outfit."

    The CEO wouldn't be Musk's clever elder brother Felon? No?

    Cleary in this case not a Mycroft.

  13. M.V. Lipvig Silver badge

    If you want phishing taken seriously

    Then the test should take control of the computer, max out the speakers, then start playing something loud. Make it a Rickroll, the Barbie song, or even something like 2 minutes of the Starship Enterprise being attacked by Klingons. It just has to be something embarassing to the clicker. After getting stung in an embarassing way a few times, they'll be more mindful.

    1. Headley_Grange Silver badge

      Re: If you want phishing taken seriously

      I've worked with engineers who would see this as a badge of honour, not shame.

    2. Robert Carnegie Silver badge

      Re: If you want phishing taken seriously

      "Star Trekkin" by The Firm, first chorus for the first offence, then an increasing scale.

      Make the full track available to play without misbehaviour, to avoid encouraging that.

      Many of us have videophone earpiece headsets, though. But accessing the loudspeakers should be possible by pwning the machine. Or without that.

    3. justjosephhere

      Re: If you want phishing taken seriously

      Yes, I love that one! An Admin acquaintance clued me in to that sort of memorable "gotcha" lesson years ago. He also had an extended version that locked the keyboard and recorded then played back 5 minutes of audio during the lockdown. I was never around when it happened (darn) but I did receive a few emails afterward from the recipients of the practical jokes. Some folks have no sense of humor.

  14. This post has been deleted by its author

  15. Pete Sdev Bronze badge
    Pirate

    Own cyber security...

    We host many of our clients websites. We don't provide any special security as they're not in a high risk category such as banks. They're not even ecommerce sites. We do patch software on a very regular basis, and we have a fairly simple nginx+fail2ban setup to block badbots and help protect against DDOSs.

    One client hired a 3rd party to perform a security audit which included testing the website we host. No problem, we were informed in advance, etc.

    One day after the audit started we received an email from the "cybersecurity" company requesting we whitelist their IP because their pentest tool was being blocked. This we did (with much internal scorn and ridicule).

    Basically the client was probably paying €ks for someone to run a basic exploit searching script that anybody with half a clue could do in an hour or so. And not particularly well.

  16. ecofeco Silver badge
    Facepalm

    Have clients what?

    Have your clients worked against you and caused tech support troubles?

    Is this a trick question?

  17. Anonymous Coward
    Anonymous Coward

    Do not get this aricle

    Sounds like standard security practice in financial services. I've never known an announced red team engagement. The point is to test teams reaction, which seems to have been effective. Often alert lag will result in emails at unsociable hours, unfortunate but part of the job.

    If you caught up with the pen testers in a reasonable time and triaged the bleeding then you proved your value. If you missed alerts or triaged incorrectly then there is something to argue about at contract renewal time......

  18. CowHorseFrog Silver badge

    Ive got a brilliant idea... lets pay millions to idiots who dont know shit about computers. The average cleaner in basically all F500 knows more about computers, and yet the ceo gets millions and the cleaner gets a few dollars an hour.

    1. Jou (Mxyzptlk) Silver badge
  19. Grogan Silver badge

    Emails from a local telco/ISP here look more fake than the phishing ones lol

    The real ones come from ISPNAME-noreply@smarthub.coop and the URLs are https://ISPNAME.smarthub.coop which is bloody silly! The emails are html formatted, but it's just text (no logos or anything)

    The fake ones have addresses like billing@ISPNAME.com and admin@ISPNAME.com etc. and actually seem more professional in their wording. I get fake ones on the same day as the real ones that look the same or better.

    I still have family members that wanted to keep the email addresses on that ISP (we haven't used them in decades) so I pay $10/month for two email addresses and I get billing emails every month. I have to admit that I had to look at the headers when they first started using that smarthub.coop service (whatever the fuck that is) for their mailings. It was hard to believe those were the legit ones lol

    I'm betting that this messes up a lot of their customers in this area, clicking on fake billing links.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like