Thursday, July 06, 2006

Exclude illiterate supervisors from e-Hierarchy?

Slashdot.org reports that the FBI's Password Database has been compromised from the inside by an IT consultant. It goes on to say how he got hold of the Database hashed Passwords and, through a dictionary attack, acquired many passwords with high-level access including the director's, Robert Muller. You may read the whole story here.

This reminded me of a similar incident while I was working as an administrator at a Network Operations Center. A rootkit-infected PC was used to launch a dictionary attack and crack some domain passwords. One of them belonged to the director who had full administrative rights. The moment his account was compromised, the attacker could go anywhere inside our network and do anything. From sniffing more passwords and accessing further resources to bringing down key-elements of our infrastructure.

See the similarities? In both cases the director's password was compromised by a simple dictionary attack. That resulted in a horrible breach of security since the director has full access to everything. So... why would he protect a full access account with a dictionary word? Let's take things from the top.

In companies and organizations there's always the traditional hierarchy starting from interns to the head, the director. However, in the world of Information Technology, being at some level does not always mean you have more skills that another man below you. That's because IT people tend to hold low and medium level positions while high level are covered by Business Managers or given based on political criteria. Therefore it's a mixed system and seniority is a relative subject.

Unavoidably, many directors have little or no knowledge on computers moreover their security. Yet, traditional hierarchy states that they should hold the "keys" to the company aka admin passwords to everything.

So what we do is trust powerfull secrets to people with the IT background of a 5-year-old. As a result, the world's best security techniques and many millions of dollars won't be enough as long as there are such weak human factors.

Wouldn't it be more sane for the senior employee in the IT department to have full access to the internal network while non-IT personnel (including the head of the company) have only user access?

You try to do your job and secure and contain an internet-connected network with unsuspected employees clicking at every new e-mail worm or virus and at the same time critical decisions have to go through technology illiterate people who will never understand them.

To finish the story, let me say that our director (the one with full access to everything) used his username also as his password. The attacker(s), using domain administrative rights, planted rootkits to all other computers in our network (yeap, all Windows). As soon as we discovered the breach and found out how we had been compromised (ξενερώσαμε τίγκα), the director was notified. He didn't say anything. He didn't say a god damn thing! He remained silent, deep in his ignorance. His password was changed from, let's say, "myusername" to "myusername123". Great! The next couple of days I had to work overtimes to remove all malicious software from PCs, change critical passwords and upgrade our security. All I got was complains from employees for not letting them "do their jobs".

If you ask me, the people who are hired to provide IT support must have absolute authority on that subject. Otherwise their role is canceled and there is just an illusion of safety lying around.

Since the CEO of an automobile company does not interfere with the chief mechanic's decisions on engine design, why should the CEO of an IT company do so?

Returning to the FBI case, the IT consultant is facing charges while the director is not to be harmed. So the one man who pointed out the weakness will be punished while the idiot who left the door of the FBI unlocked will get to keep his chair.

No comments: