Tuesday, April 7, 2015

Social Engineering Challenge 7: What's My Password?

My challenge for this week: get 10 passwords from shoulder surfing.

Perfect. I work in IT. People bring their computers to me several times a day to have problems fixed.

Normally,  I'm courteous and look away when I ask people to log in to their account. This past week, I kept a watchful eye on every keyboard that crossed my desk. In all, I learned 23 passwords. I also learned that a not-insignificant number of employees have never changed their password, and are still using the default. This was a great opportunity to identify this problem and correct it, so I'm glad I got this challenge!

With this information, I could pose as another user on the corporate network, and anything I did would be logged to their credentials. If another employee got my password, they could cause a lot of damage. I'm already an administrator, so having a non-IT employee's credentials wouldn't give me any extra access, but it would allow me to somewhat cover my tracks with whatever I decided to do.

Morally, I took issue with this, mainly because I was violating the privacy of my coworkers. On the other hand, I was able to identify a security hole. I was very surprised how many users had never changed their password. I'm very accustomed to users sending their password in plaintext in a helpdesk ticket, but that's a different issue.

As a bonus, I was called to an executive's desk last week to assist with something. When I asked him to log into his account, he asked me what his password is. When I said, "I don't know. We don't keep records of employee passwords," I was scoffed at. Wow.

Just. Wow.

- The Admiral

2 comments:

  1. Good point Admiral, I remember when I was intern in a big company in here, the Help disk team that was responsible for Active directory accounts (they had a team just for this), they would receive a call from a client and they would repeat the user name out loud and then do the same for the new password (reading it of the screen slowly so the user can copy it). I am guessing it was a temporary one but still if someone could log in before the real user than they can access everything under the client credentials. Its wired how there is very little awareness of this issue.

    ReplyDelete
  2. See....social engineering is a much easier way in than you think and passwords as authentication is flawed! Not just a textbook lesson now. :) 5 points!

    ReplyDelete