Tell HN: IT guy at my company just did what?

23 points by WtxzBM ↗ HN
So I got locked out of my account twice today at the aerospace company where I work. I presume someone was entering incorrect passwords for me and I don't think it was me. First time, IT guy said ok "answer these three personal security questions you set and I'll unlock your account". I answered them, account unlocked, good to go.

The second time I called, the same guy answered and said "oh... I think I remember you from a few hours ago. No need to answer any of your security questions, I think I remember them." AND THEN HE SAID THE ANSWERS BACK TO ME OVER THE PHONE. I was dumbfounded. Had to come here to get reactions.

29 comments

[ 3.7 ms ] story [ 82.8 ms ] thread
HAH. I know people in the field and you have my deepest sympathies. All that security theatre to be ruined by a defcon skimping on IT training. Personally my company uses yubikeys and I couldnt be happier but some people I know still use depricated methods I won't elaborate on which is quiiite concerning for people we've entrusted with our health and safety.
I'm not sure whether reading back the info is the weird stuff or whether blocking targets of attempted password logins rather than the source of the attempts is the odd part. But I too can disable accounts of my colleagues in my company's ERP.
It works this way everywhere.
I worked at a major global financial services firm. When I needed to have some maintenance work done on my company laptop, our IT guy came to my desk and asked me to write my password on a post-it for him so he could access it. Security is a lot less secure than whoever wrote the policies might have thought
Eh, unless your company’s threat model includes malicious IT workers it’s w/e in my book. I could just reset your password (and put the hashes back so you wouldn’t know) or keylog your machine.

The whole reason you even have a password is to authenticate to my systems. If I can’t be trusted with it we’ve got bigger problems.

You think a company with 200k employees should have "IT" come around asking for laptops and passwords as SOP? What could possibly go wrong?
My guess is that you were already pre-authenticated by some internal system for him so he gave you a slack.

And also I think you were not the first calling with that specific issue and likely it was not external attack - related but rather internal system failure related that he was aware of.

Every IT person enters the field fresh and full of the all the best safety practices for keeping things 100% secure.

And then they start dealing with people. Many of whom have trouble finding the "enter" key on the keyboard.

And so the IT folks invariably fall into the habit of going the route that's 10x easier and 98% safe.

Developers too. Do we really need this error-handling clause for scenarios that can only occur on Linux 2.4.x running on PPC hardware with non-standard locales?
Ey, don't discriminate against my wii
You should have some sort of 2FA, or phone number, or have a system in place for managers to vouch for the employee by phone or something.

Security questions are a vector for privacy breaches and much less effective than the above.

Hahaha, I do this constantly as an IT guy. You tell me your password, I'm never going to forget it. Shoot, I still remember the IP schemes and addresses from my Novell Netware servers from the job I left over 15 years ago.

I always say, "NO! Don't tell me your password, just type it in."

edit: for clarity's sake; NO, we were not still using Netware in 2007.

> Shoot, I still remember the IP schemes and addresses from my Novell Netware servers from the job I left over 15 years ago.

My home internet provider recently changed up the IP ranges they have us connected on. I instantly recognized it as being the same subnet that the computers at my high school used to be on 25 years ago. And sure enough, whois confirms that the range is still controlled by the school district.

For a brief moment of my life I memorised like a half windows xp cd key…
Meh why are you worried about security? They aren’t.
Good point. You can never be more secure than your IT crew. Unless you treat the LAN as hostile, which you totally should.
How should I start treating my lan as hostile?
First, turn off password and root ssh logins to your machine. Treat all the other machines on the LAN as if they have already been suborned. Don't 'ssh -A' to them if it would enable them to log back into your machine. No 'ssh -X' either except from within a VM on your machine, with its own X-in-a-window.

I.e., pretend every other machine is out on the open internet.

There are new ssh options to keep closer control of credentials.

(comment deleted)
I would print any emails and mention it to a superior. Especially if this is an MSP.
A lot of IT people have very detail oriented memories.

If they remember you had an issue, they usually watch out for you within some X amount of time period so if there is a follow-up its short and sweet, not drawn out, its all about doing the least amount of effort for the most amount of work.

If you've ever seen the IT crowd, I'm talking mimeograph here.

Use a password manager to generate 16 character strings as answers to each security questions. I guarantee your IT person will no longer remember them.
But then these calls will be way more tedious
And when you're asked for your security answers just tell them it was some gibberish random characters.
This. Security questions are almost always visible to humans in plaintext, and those humans are expected to be the judge of whether the security question was answered correctly.

I used to do random characters, but have switch to a string of random dictionary words. Still not perfect (since "a string of random words" could potentially be accepted as a valid answer), but I feel like having it be human-readable makes it less prone to that kind of fuzzing.

From my experiences trying to tell non-native or highly accented English speakers gibberish URLs or filenames, that would probably be an exercise in misery.

"Three. Like one-two-three." -> they hear "tree" or "123"

"'D'. Like Able Baker Charlie Delta." -> they hear anything ending in "ee", or "abelbakercharlydelta"

And so on, ad nauseum.

Were the answers to the security questions truly secret? At my last company the questions were all publicly available. Start date, name of manager, etc. It only blocked the laziest of adversaries.
Why do you care? If you don't own the stock of the company, then it's not your loss.